Add bulk copy and delete all tags for node replacement workflow

When replacing a node device, users can now: - Copy All: Copy all tags to a new node (skips existing tags) - Delete All: Remove all tags from a node after migration New API endpoints: - POST /api/v1/nodes/{pk}/tags/copy-to/{dest_pk} - DELETE /api/v1/nodes/{pk}/tags Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add access denied page for unauthenticated admin access
2026-01-11 14:46:51 +00:00 · 2026-01-11 13:34:03 +00:00 · 2026-01-11 13:13:22 +00:00 · 2026-01-11 12:51:56 +00:00 · 2026-01-11 12:49:34 +00:00 · 2026-01-11 12:01:11 +00:00
23 changed files with 1712 additions and 86 deletions
@@ -487,7 +487,7 @@ The database can be seeded with node tags and network members from YAML files in
 - `node_tags.yaml` - Node tag definitions (keyed by public_key)
 - `members.yaml` - Network member definitions

-Seeding is a separate process from the collector and must be run explicitly:
+**Important:** Seeding is NOT automatic and must be run explicitly. This prevents seed files from overwriting user changes made via the admin UI.

 ```bash
 # Native CLI
@@ -497,6 +497,8 @@ meshcore-hub collector seed
 docker compose --profile seed up
 ```

+**Note:** Once the admin UI is enabled (`WEB_ADMIN_ENABLED=true`), tags should be managed through the web interface rather than seed files.
+
 ### Webhook Configuration

 The collector supports forwarding events to external HTTP endpoints:
@@ -471,21 +471,18 @@ Tags are keyed by public key in YAML format:
 fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210:
  friendly_name: Oakland Repeater
  altitude: 150
-  location:
-    value: "37.8044,-122.2712"
-    type: coordinate
 ```

 Tag values can be:
 - **YAML primitives** (auto-detected type): strings, numbers, booleans
- **Explicit type** (for special types like coordinate):
+- **Explicit type** (when you need to force a specific type):
  ```yaml
-  location:
-    value: "37.7749,-122.4194"
-    type: coordinate
+  altitude:
+    value: "150"
+    type: number
  ```

-Supported types: `string`, `number`, `boolean`, `coordinate`
+Supported types: `string`, `number`, `boolean`

 ### Import Tags Manually

@@ -139,7 +139,7 @@ services:
      - core
    restart: unless-stopped
    depends_on:
-      seed:
+      db-migrate:
        condition: service_completed_successfully
    volumes:
      - ${DATA_HOME:-./data}:/data
@@ -196,7 +196,7 @@ services:
      - core
    restart: unless-stopped
    depends_on:
-      seed:
+      db-migrate:
        condition: service_completed_successfully
      collector:
        condition: service_started
@@ -249,7 +249,9 @@ services:
    environment:
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      - API_BASE_URL=http://api:8000
-      - API_KEY=${API_READ_KEY:-}
+      # Use ADMIN key to allow write operations from admin interface
+      # Falls back to READ key if ADMIN key is not set
+      - API_KEY=${API_ADMIN_KEY:-${API_READ_KEY:-}}
      - WEB_HOST=0.0.0.0
      - WEB_PORT=8080
      - WEB_ADMIN_ENABLED=${WEB_ADMIN_ENABLED:-false}
@@ -293,7 +295,10 @@ services:
    command: ["db", "upgrade"]

  # ==========================================================================
-  # Seed Data - Import node_tags.json and members.json from SEED_HOME
+  # Seed Data - Import node_tags.yaml and members.yaml from SEED_HOME
+  # NOTE: This is NOT run automatically. Use --profile seed to run explicitly.
+  # Since tags are now managed via the admin UI, automatic seeding would
+  # overwrite user changes.
  # ==========================================================================
  seed:
    image: ghcr.io/ipnet-mesh/meshcore-hub:${IMAGE_VERSION:-latest}
@@ -302,8 +307,6 @@ services:
      dockerfile: Dockerfile
    container_name: meshcore-seed
    profiles:
-      - all
-      - core
      - seed
    restart: "no"
    depends_on:
@@ -320,7 +323,7 @@ services:
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      # Explicitly unset to use DATA_HOME-based default path
      - DATABASE_URL=
-    # Imports both node_tags.json and members.json if they exist
+    # Imports both node_tags.yaml and members.yaml if they exist
    command: ["collector", "seed"]

 # ==========================================================================
@@ -7,12 +7,12 @@
 #     elevation: 150               # number
 #     is_online: true              # boolean
 #
-# - Explicit type (for special types like coordinate):
-#     location:
-#       value: "37.7749,-122.4194"
-#       type: coordinate
+# - Explicit type (when you need to force a specific type):
+#     altitude:
+#       value: "150"
+#       type: number
 #
-# Supported types: string, number, boolean, coordinate
+# Supported types: string, number, boolean

 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef:
  friendly_name: Gateway Node
@@ -6,7 +6,13 @@ from sqlalchemy import select
 from meshcore_hub.api.auth import RequireAdmin, RequireRead
 from meshcore_hub.api.dependencies import DbSession
 from meshcore_hub.common.models import Node, NodeTag
-from meshcore_hub.common.schemas.nodes import NodeTagCreate, NodeTagRead, NodeTagUpdate
+from meshcore_hub.common.schemas.nodes import (
+    NodeTagCreate,
+    NodeTagMove,
+    NodeTagRead,
+    NodeTagsCopyResult,
+    NodeTagUpdate,
+)

 router = APIRouter()

@@ -130,6 +136,131 @@ async def update_node_tag(
    return NodeTagRead.model_validate(node_tag)


+@router.put("/nodes/{public_key}/tags/{key}/move", response_model=NodeTagRead)
+async def move_node_tag(
+    _: RequireAdmin,
+    session: DbSession,
+    public_key: str,
+    key: str,
+    data: NodeTagMove,
+) -> NodeTagRead:
+    """Move a node tag to a different node."""
+    # Check if source and destination are the same
+    if public_key == data.new_public_key:
+        raise HTTPException(
+            status_code=400,
+            detail="Source and destination nodes are the same",
+        )
+
+    # Find source node
+    source_query = select(Node).where(Node.public_key == public_key)
+    source_node = session.execute(source_query).scalar_one_or_none()
+
+    if not source_node:
+        raise HTTPException(status_code=404, detail="Source node not found")
+
+    # Find tag
+    tag_query = select(NodeTag).where(
+        (NodeTag.node_id == source_node.id) & (NodeTag.key == key)
+    )
+    node_tag = session.execute(tag_query).scalar_one_or_none()
+
+    if not node_tag:
+        raise HTTPException(status_code=404, detail="Tag not found")
+
+    # Find destination node
+    dest_query = select(Node).where(Node.public_key == data.new_public_key)
+    dest_node = session.execute(dest_query).scalar_one_or_none()
+
+    if not dest_node:
+        raise HTTPException(status_code=404, detail="Destination node not found")
+
+    # Check if tag already exists on destination node
+    conflict_query = select(NodeTag).where(
+        (NodeTag.node_id == dest_node.id) & (NodeTag.key == key)
+    )
+    conflict = session.execute(conflict_query).scalar_one_or_none()
+
+    if conflict:
+        raise HTTPException(
+            status_code=409,
+            detail=f"Tag '{key}' already exists on destination node",
+        )
+
+    # Move tag to destination node
+    node_tag.node_id = dest_node.id
+    session.commit()
+    session.refresh(node_tag)
+
+    return NodeTagRead.model_validate(node_tag)
+
+
+@router.post(
+    "/nodes/{public_key}/tags/copy-to/{dest_public_key}",
+    response_model=NodeTagsCopyResult,
+)
+async def copy_all_tags(
+    _: RequireAdmin,
+    session: DbSession,
+    public_key: str,
+    dest_public_key: str,
+) -> NodeTagsCopyResult:
+    """Copy all tags from one node to another.
+
+    Tags that already exist on the destination node are skipped.
+    """
+    # Check if source and destination are the same
+    if public_key == dest_public_key:
+        raise HTTPException(
+            status_code=400,
+            detail="Source and destination nodes are the same",
+        )
+
+    # Find source node
+    source_query = select(Node).where(Node.public_key == public_key)
+    source_node = session.execute(source_query).scalar_one_or_none()
+
+    if not source_node:
+        raise HTTPException(status_code=404, detail="Source node not found")
+
+    # Find destination node
+    dest_query = select(Node).where(Node.public_key == dest_public_key)
+    dest_node = session.execute(dest_query).scalar_one_or_none()
+
+    if not dest_node:
+        raise HTTPException(status_code=404, detail="Destination node not found")
+
+    # Get existing tags on destination node
+    existing_query = select(NodeTag.key).where(NodeTag.node_id == dest_node.id)
+    existing_keys = set(session.execute(existing_query).scalars().all())
+
+    # Copy tags
+    copied = 0
+    skipped_keys = []
+
+    for tag in source_node.tags:
+        if tag.key in existing_keys:
+            skipped_keys.append(tag.key)
+            continue
+
+        new_tag = NodeTag(
+            node_id=dest_node.id,
+            key=tag.key,
+            value=tag.value,
+            value_type=tag.value_type,
+        )
+        session.add(new_tag)
+        copied += 1
+
+    session.commit()
+
+    return NodeTagsCopyResult(
+        copied=copied,
+        skipped=len(skipped_keys),
+        skipped_keys=skipped_keys,
+    )
+
+
@router.delete("/nodes/{public_key}/tags/{key}", status_code=204)
 async def delete_node_tag(
    _: RequireAdmin,
@@ -156,3 +287,27 @@ async def delete_node_tag(

    session.delete(node_tag)
    session.commit()
+
+
+@router.delete("/nodes/{public_key}/tags")
+async def delete_all_node_tags(
+    _: RequireAdmin,
+    session: DbSession,
+    public_key: str,
+) -> dict:
+    """Delete all tags for a node."""
+    # Find node
+    node_query = select(Node).where(Node.public_key == public_key)
+    node = session.execute(node_query).scalar_one_or_none()
+
+    if not node:
+        raise HTTPException(status_code=404, detail="Node not found")
+
+    # Count and delete all tags
+    count = len(node.tags)
+    for tag in node.tags:
+        session.delete(tag)
+
+    session.commit()
+
+    return {"deleted": count}
@@ -433,12 +433,12 @@ def import_tags_cmd(
    \b
    0123456789abcdef...:
      friendly_name: My Node
-      location:
-        value: "52.0,1.0"
-        type: coordinate
      altitude:
        value: "150"
        type: number
+      active:
+        value: "true"
+        type: boolean

    Shorthand is also supported (string values with default type):

@@ -447,7 +447,7 @@ def import_tags_cmd(
      friendly_name: My Node
      role: gateway

-    Supported types: string, number, boolean, coordinate
+    Supported types: string, number, boolean
    """
    from pathlib import Path

@@ -19,7 +19,7 @@ class TagValue(BaseModel):
    """Schema for a tag value with type."""

    value: str | None = None
-    type: str = Field(default="string", pattern=r"^(string|number|boolean|coordinate)$")
+    type: str = Field(default="string", pattern=r"^(string|number|boolean)$")


 class NodeTags(BaseModel):
@@ -21,7 +21,7 @@ class NodeTag(Base, UUIDMixin, TimestampMixin):
        node_id: Foreign key to nodes table
        key: Tag name/key
        value: Tag value (stored as text, can be JSON for typed values)
-        value_type: Type hint (string, number, boolean, coordinate)
+        value_type: Type hint (string, number, boolean)
        created_at: Record creation timestamp
        updated_at: Record update timestamp
    """
@@ -19,7 +19,7 @@ class NodeTagCreate(BaseModel):
        default=None,
        description="Tag value",
    )
-    value_type: Literal["string", "number", "boolean", "coordinate"] = Field(
+    value_type: Literal["string", "number", "boolean"] = Field(
        default="string",
        description="Value type hint",
    )
@@ -32,12 +32,33 @@ class NodeTagUpdate(BaseModel):
        default=None,
        description="Tag value",
    )
-    value_type: Optional[Literal["string", "number", "boolean", "coordinate"]] = Field(
+    value_type: Optional[Literal["string", "number", "boolean"]] = Field(
        default=None,
        description="Value type hint",
    )


+class NodeTagMove(BaseModel):
+    """Schema for moving a node tag to a different node."""
+
+    new_public_key: str = Field(
+        ...,
+        min_length=64,
+        max_length=64,
+        description="Public key of the destination node",
+    )
+
+
+class NodeTagsCopyResult(BaseModel):
+    """Schema for bulk copy tags result."""
+
+    copied: int = Field(..., description="Number of tags copied")
+    skipped: int = Field(..., description="Number of tags skipped (already exist)")
+    skipped_keys: list[str] = Field(
+        default_factory=list, description="Keys of skipped tags"
+    )
+
+
 class NodeTagRead(BaseModel):
    """Schema for reading a node tag."""

@@ -175,5 +175,6 @@ def get_network_context(request: Request) -> dict:
        "network_contact_discord": request.app.state.network_contact_discord,
        "network_contact_github": request.app.state.network_contact_github,
        "network_welcome_text": request.app.state.network_welcome_text,
+        "admin_enabled": request.app.state.admin_enabled,
        "version": __version__,
    }
@@ -1,31 +1,393 @@
-"""Admin page route."""
+"""Admin page routes."""

 import logging
+from typing import Any, Optional
+from urllib.parse import urlencode

-from fastapi import APIRouter, HTTPException, Request
-from fastapi.responses import HTMLResponse
+from fastapi import APIRouter, Form, HTTPException, Query, Request
+from fastapi.responses import HTMLResponse, RedirectResponse
+from httpx import Response

 from meshcore_hub.web.app import get_network_context, get_templates

+
+def _build_redirect_url(
+    public_key: str,
+    message: Optional[str] = None,
+    error: Optional[str] = None,
+) -> str:
+    """Build a properly encoded redirect URL with optional message/error."""
+    params: dict[str, str] = {"public_key": public_key}
+    if message:
+        params["message"] = message
+    if error:
+        params["error"] = error
+    return f"/a/node-tags?{urlencode(params)}"
+
+
+def _get_error_detail(response: Response) -> str:
+    """Safely extract error detail from response JSON."""
+    try:
+        data: Any = response.json()
+        detail: str = data.get("detail", "Unknown error")
+        return detail
+    except Exception:
+        return "Unknown error"
+
+
 logger = logging.getLogger(__name__)
 router = APIRouter(prefix="/a", tags=["admin"])


+def _check_admin_enabled(request: Request) -> None:
+    """Check if admin interface is enabled, raise 404 if not."""
+    if not getattr(request.app.state, "admin_enabled", False):
+        raise HTTPException(status_code=404, detail="Not Found")
+
+
+def _get_auth_context(request: Request) -> dict:
+    """Extract OAuth2Proxy authentication headers."""
+    return {
+        "auth_user": request.headers.get("X-Forwarded-User"),
+        "auth_groups": request.headers.get("X-Forwarded-Groups"),
+        "auth_email": request.headers.get("X-Forwarded-Email"),
+        "auth_username": request.headers.get("X-Forwarded-Preferred-Username"),
+    }
+
+
+def _is_authenticated(request: Request) -> bool:
+    """Check if user is authenticated via OAuth2Proxy headers."""
+    return bool(
+        request.headers.get("X-Forwarded-User")
+        or request.headers.get("X-Forwarded-Email")
+    )
+
+
+def _require_auth(request: Request) -> None:
+    """Require authentication, raise 403 if not authenticated."""
+    if not _is_authenticated(request):
+        raise HTTPException(status_code=403, detail="Access denied")
+
+
@router.get("/", response_class=HTMLResponse)
 async def admin_home(request: Request) -> HTMLResponse:
    """Render the admin page with OAuth2Proxy user info."""
-    # Check if admin interface is enabled
-    if not getattr(request.app.state, "admin_enabled", False):
-        raise HTTPException(status_code=404, detail="Not Found")
+    _check_admin_enabled(request)

    templates = get_templates(request)
    context = get_network_context(request)
    context["request"] = request
+    context.update(_get_auth_context(request))

-    # Extract OAuth2Proxy headers
-    context["auth_user"] = request.headers.get("X-Forwarded-User")
-    context["auth_groups"] = request.headers.get("X-Forwarded-Groups")
-    context["auth_email"] = request.headers.get("X-Forwarded-Email")
-    context["auth_username"] = request.headers.get("X-Forwarded-Preferred-Username")
+    # Check if user is authenticated
+    if not _is_authenticated(request):
+        return templates.TemplateResponse(
+            "admin/access_denied.html", context, status_code=403
+        )

-    return templates.TemplateResponse("admin.html", context)
+    return templates.TemplateResponse("admin/index.html", context)
+
+
+@router.get("/node-tags", response_class=HTMLResponse)
+async def admin_node_tags(
+    request: Request,
+    public_key: Optional[str] = Query(None),
+    message: Optional[str] = Query(None),
+    error: Optional[str] = Query(None),
+) -> HTMLResponse:
+    """Admin page for managing node tags."""
+    _check_admin_enabled(request)
+
+    templates = get_templates(request)
+    context = get_network_context(request)
+    context["request"] = request
+    context.update(_get_auth_context(request))
+
+    # Check if user is authenticated
+    if not _is_authenticated(request):
+        return templates.TemplateResponse(
+            "admin/access_denied.html", context, status_code=403
+        )
+
+    # Flash messages from redirects
+    context["message"] = message
+    context["error"] = error
+
+    # Fetch all nodes for dropdown
+    nodes = []
+    try:
+        response = await request.app.state.http_client.get(
+            "/api/v1/nodes",
+            params={"limit": 100},
+        )
+        if response.status_code == 200:
+            data = response.json()
+            nodes = data.get("items", [])
+            # Sort nodes alphabetically by name (unnamed nodes at the end)
+            nodes.sort(
+                key=lambda n: (n.get("name") is None, (n.get("name") or "").lower())
+            )
+    except Exception as e:
+        logger.exception("Failed to fetch nodes: %s", e)
+        context["error"] = "Failed to fetch nodes"
+
+    context["nodes"] = nodes
+    context["selected_public_key"] = public_key
+
+    # Fetch tags for selected node
+    tags = []
+    selected_node = None
+    if public_key:
+        # Find the selected node in the list
+        for node in nodes:
+            if node.get("public_key") == public_key:
+                selected_node = node
+                break
+
+        try:
+            response = await request.app.state.http_client.get(
+                f"/api/v1/nodes/{public_key}/tags",
+            )
+            if response.status_code == 200:
+                tags = response.json()
+            elif response.status_code == 404:
+                context["error"] = "Node not found"
+        except Exception as e:
+            logger.exception("Failed to fetch tags: %s", e)
+            context["error"] = "Failed to fetch tags"
+
+    context["tags"] = tags
+    context["selected_node"] = selected_node
+
+    return templates.TemplateResponse("admin/node_tags.html", context)
+
+
+@router.post("/node-tags", response_class=RedirectResponse)
+async def admin_create_node_tag(
+    request: Request,
+    public_key: str = Form(...),
+    key: str = Form(...),
+    value: str = Form(""),
+    value_type: str = Form("string"),
+) -> RedirectResponse:
+    """Create a new node tag."""
+    _check_admin_enabled(request)
+    _require_auth(request)
+
+    try:
+        response = await request.app.state.http_client.post(
+            f"/api/v1/nodes/{public_key}/tags",
+            json={
+                "key": key,
+                "value": value or None,
+                "value_type": value_type,
+            },
+        )
+        if response.status_code == 201:
+            redirect_url = _build_redirect_url(
+                public_key, message=f"Tag '{key}' created successfully"
+            )
+        elif response.status_code == 409:
+            redirect_url = _build_redirect_url(
+                public_key, error=f"Tag '{key}' already exists"
+            )
+        elif response.status_code == 404:
+            redirect_url = _build_redirect_url(public_key, error="Node not found")
+        else:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+    except Exception as e:
+        logger.exception("Failed to create tag: %s", e)
+        redirect_url = _build_redirect_url(public_key, error="Failed to create tag")
+
+    return RedirectResponse(url=redirect_url, status_code=303)
+
+
+@router.post("/node-tags/update", response_class=RedirectResponse)
+async def admin_update_node_tag(
+    request: Request,
+    public_key: str = Form(...),
+    key: str = Form(...),
+    value: str = Form(""),
+    value_type: str = Form("string"),
+) -> RedirectResponse:
+    """Update an existing node tag."""
+    _check_admin_enabled(request)
+    _require_auth(request)
+
+    try:
+        response = await request.app.state.http_client.put(
+            f"/api/v1/nodes/{public_key}/tags/{key}",
+            json={
+                "value": value or None,
+                "value_type": value_type,
+            },
+        )
+        if response.status_code == 200:
+            redirect_url = _build_redirect_url(
+                public_key, message=f"Tag '{key}' updated successfully"
+            )
+        elif response.status_code == 404:
+            redirect_url = _build_redirect_url(
+                public_key, error=f"Tag '{key}' not found"
+            )
+        else:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+    except Exception as e:
+        logger.exception("Failed to update tag: %s", e)
+        redirect_url = _build_redirect_url(public_key, error="Failed to update tag")
+
+    return RedirectResponse(url=redirect_url, status_code=303)
+
+
+@router.post("/node-tags/move", response_class=RedirectResponse)
+async def admin_move_node_tag(
+    request: Request,
+    public_key: str = Form(...),
+    key: str = Form(...),
+    new_public_key: str = Form(...),
+) -> RedirectResponse:
+    """Move a node tag to a different node."""
+    _check_admin_enabled(request)
+    _require_auth(request)
+
+    try:
+        response = await request.app.state.http_client.put(
+            f"/api/v1/nodes/{public_key}/tags/{key}/move",
+            json={"new_public_key": new_public_key},
+        )
+        if response.status_code == 200:
+            # Redirect to the destination node after successful move
+            redirect_url = _build_redirect_url(
+                new_public_key, message=f"Tag '{key}' moved successfully"
+            )
+        elif response.status_code == 404:
+            # Stay on source node if not found
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+        elif response.status_code == 409:
+            redirect_url = _build_redirect_url(
+                public_key, error=f"Tag '{key}' already exists on destination node"
+            )
+        else:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+    except Exception as e:
+        logger.exception("Failed to move tag: %s", e)
+        redirect_url = _build_redirect_url(public_key, error="Failed to move tag")
+
+    return RedirectResponse(url=redirect_url, status_code=303)
+
+
+@router.post("/node-tags/delete", response_class=RedirectResponse)
+async def admin_delete_node_tag(
+    request: Request,
+    public_key: str = Form(...),
+    key: str = Form(...),
+) -> RedirectResponse:
+    """Delete a node tag."""
+    _check_admin_enabled(request)
+    _require_auth(request)
+
+    try:
+        response = await request.app.state.http_client.delete(
+            f"/api/v1/nodes/{public_key}/tags/{key}",
+        )
+        if response.status_code == 204:
+            redirect_url = _build_redirect_url(
+                public_key, message=f"Tag '{key}' deleted successfully"
+            )
+        elif response.status_code == 404:
+            redirect_url = _build_redirect_url(
+                public_key, error=f"Tag '{key}' not found"
+            )
+        else:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+    except Exception as e:
+        logger.exception("Failed to delete tag: %s", e)
+        redirect_url = _build_redirect_url(public_key, error="Failed to delete tag")
+
+    return RedirectResponse(url=redirect_url, status_code=303)
+
+
+@router.post("/node-tags/copy-all", response_class=RedirectResponse)
+async def admin_copy_all_tags(
+    request: Request,
+    public_key: str = Form(...),
+    dest_public_key: str = Form(...),
+) -> RedirectResponse:
+    """Copy all tags from one node to another."""
+    _check_admin_enabled(request)
+    _require_auth(request)
+
+    try:
+        response = await request.app.state.http_client.post(
+            f"/api/v1/nodes/{public_key}/tags/copy-to/{dest_public_key}",
+        )
+        if response.status_code == 200:
+            data = response.json()
+            copied = data.get("copied", 0)
+            skipped = data.get("skipped", 0)
+            if skipped > 0:
+                message = f"Copied {copied} tag(s), skipped {skipped} existing"
+            else:
+                message = f"Copied {copied} tag(s) successfully"
+            # Redirect to destination node to show copied tags
+            redirect_url = _build_redirect_url(dest_public_key, message=message)
+        elif response.status_code == 400:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+        elif response.status_code == 404:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+        else:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+    except Exception as e:
+        logger.exception("Failed to copy tags: %s", e)
+        redirect_url = _build_redirect_url(public_key, error="Failed to copy tags")
+
+    return RedirectResponse(url=redirect_url, status_code=303)
+
+
+@router.post("/node-tags/delete-all", response_class=RedirectResponse)
+async def admin_delete_all_tags(
+    request: Request,
+    public_key: str = Form(...),
+) -> RedirectResponse:
+    """Delete all tags from a node."""
+    _check_admin_enabled(request)
+    _require_auth(request)
+
+    try:
+        response = await request.app.state.http_client.delete(
+            f"/api/v1/nodes/{public_key}/tags",
+        )
+        if response.status_code == 200:
+            data = response.json()
+            deleted = data.get("deleted", 0)
+            message = f"Deleted {deleted} tag(s) successfully"
+            redirect_url = _build_redirect_url(public_key, message=message)
+        elif response.status_code == 404:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+        else:
+            redirect_url = _build_redirect_url(
+                public_key, error=_get_error_detail(response)
+            )
+    except Exception as e:
+        logger.exception("Failed to delete tags: %s", e)
+        redirect_url = _build_redirect_url(public_key, error="Failed to delete tags")
+
+    return RedirectResponse(url=redirect_url, status_code=303)
@@ -118,12 +118,18 @@ async def node_detail(request: Request, public_key: str) -> HTMLResponse:
        logger.warning(f"Failed to fetch node details from API: {e}")
        context["api_error"] = str(e)

+    # Check if admin editing is available
+    admin_enabled = getattr(request.app.state, "admin_enabled", False)
+    auth_user = request.headers.get("X-Forwarded-User")
+
    context.update(
        {
            "node": node,
            "advertisements": advertisements,
            "telemetry": telemetry,
            "public_key": public_key,
+            "admin_enabled": admin_enabled,
+            "is_authenticated": bool(auth_user),
        }
    )

@@ -1,38 +0,0 @@
-{% extends "base.html" %}
-
-{% block title %}{{ network_name }} - Admin{% endblock %}
-
-{% block content %}
-<div class="flex items-center justify-between mb-6">
-    <h1 class="text-3xl font-bold">Admin</h1>
-    <a href="/oauth2/sign_out" class="btn btn-outline btn-sm">Sign Out</a>
-</div>
-
-<div class="card bg-base-100 shadow-xl">
-    <div class="card-body">
-        <h2 class="card-title">Authenticated User</h2>
-        <div class="overflow-x-auto">
-            <table class="table">
-                <tbody>
-                    <tr>
-                        <th class="w-64">X-Forwarded-User</th>
-                        <td>{{ auth_user or '-' }}</td>
-                    </tr>
-                    <tr>
-                        <th>X-Forwarded-Preferred-Username</th>
-                        <td>{{ auth_username or '-' }}</td>
-                    </tr>
-                    <tr>
-                        <th>X-Forwarded-Email</th>
-                        <td>{{ auth_email or '-' }}</td>
-                    </tr>
-                    <tr>
-                        <th>X-Forwarded-Groups</th>
-                        <td>{{ auth_groups or '-' }}</td>
-                    </tr>
-                </tbody>
-            </table>
-        </div>
-    </div>
-</div>
-{% endblock %}
@@ -0,0 +1,20 @@
+{% extends "base.html" %}
+
+{% block title %}{{ network_name }} - Access Denied{% endblock %}
+
+{% block content %}
+<div class="flex flex-col items-center justify-center min-h-[50vh]">
+    <div class="text-center">
+        <svg xmlns="http://www.w3.org/2000/svg" class="h-24 w-24 mx-auto text-error opacity-50 mb-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z" />
+        </svg>
+        <h1 class="text-3xl font-bold mb-2">Access Denied</h1>
+        <p class="text-lg opacity-70 mb-6">You don't have permission to access the admin area.</p>
+        <p class="text-sm opacity-50 mb-8">Please contact the network administrator if you believe this is an error.</p>
+        <div class="flex gap-4 justify-center">
+            <a href="/" class="btn btn-primary">Return Home</a>
+            <a href="/oauth2/sign_out" class="btn btn-outline">Sign Out</a>
+        </div>
+    </div>
+</div>
+{% endblock %}
@@ -0,0 +1,53 @@
+{% extends "base.html" %}
+
+{% block title %}{{ network_name }} - Admin{% endblock %}
+
+{% block content %}
+<div class="flex items-center justify-between mb-4">
+    <div>
+        <h1 class="text-3xl font-bold">Admin</h1>
+        <div class="text-sm breadcrumbs">
+            <ul>
+                <li><a href="/">Home</a></li>
+                <li>Admin</li>
+            </ul>
+        </div>
+    </div>
+    <a href="/oauth2/sign_out" class="btn btn-outline btn-sm">Sign Out</a>
+</div>
+
+<!-- Authenticated User Info -->
+<div class="flex flex-wrap items-center gap-4 text-sm opacity-70 mb-6">
+    {% if auth_username or auth_user %}
+    <span class="flex items-center gap-1.5">
+        <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z" />
+        </svg>
+        {{ auth_username or auth_user }}
+    </span>
+    {% endif %}
+    {% if auth_email %}
+    <span class="flex items-center gap-1.5">
+        <svg xmlns="http://www.w3.org/2000/svg" class="h-4 w-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M3 8l7.89 5.26a2 2 0 002.22 0L21 8M5 19h14a2 2 0 002-2V7a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z" />
+        </svg>
+        {{ auth_email }}
+    </span>
+    {% endif %}
+</div>
+
+<!-- Navigation Cards -->
+<div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+    <a href="/a/node-tags" class="card bg-base-100 shadow-xl hover:shadow-2xl transition-shadow">
+        <div class="card-body">
+            <h2 class="card-title">
+                <svg xmlns="http://www.w3.org/2000/svg" class="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M7 7h.01M7 3h5c.512 0 1.024.195 1.414.586l7 7a2 2 0 010 2.828l-7 7a2 2 0 01-2.828 0l-7-7A2 2 0 013 12V7a4 4 0 014-4z" />
+                </svg>
+                Node Tags
+            </h2>
+            <p>Manage custom tags and metadata for network nodes.</p>
+        </div>
+    </a>
+</div>
+{% endblock %}
@@ -0,0 +1,434 @@
+{% extends "base.html" %}
+
+{% block title %}{{ network_name }} - Node Tags Admin{% endblock %}
+
+{% block content %}
+<div class="flex items-center justify-between mb-6">
+    <div>
+        <h1 class="text-3xl font-bold">Node Tags</h1>
+        <div class="text-sm breadcrumbs">
+            <ul>
+                <li><a href="/">Home</a></li>
+                <li><a href="/a/">Admin</a></li>
+                <li>Node Tags</li>
+            </ul>
+        </div>
+    </div>
+    <a href="/oauth2/sign_out" class="btn btn-outline btn-sm">Sign Out</a>
+</div>
+
+<!-- Flash Messages -->
+{% if message %}
+<div class="alert alert-success mb-4">
+    <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+    </svg>
+    <span>{{ message }}</span>
+</div>
+{% endif %}
+
+{% if error %}
+<div class="alert alert-error mb-4">
+    <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M10 14l2-2m0 0l2-2m-2 2l-2-2m2 2l2 2m7-2a9 9 0 11-18 0 9 9 0 0118 0z" />
+    </svg>
+    <span>{{ error }}</span>
+</div>
+{% endif %}
+
+<!-- Node Selector -->
+<div class="card bg-base-100 shadow-xl mb-6">
+    <div class="card-body">
+        <h2 class="card-title">Select Node</h2>
+        <form method="get" action="/a/node-tags" class="flex gap-4 items-end">
+            <div class="form-control flex-1">
+                <label class="label">
+                    <span class="label-text">Node</span>
+                </label>
+                <select name="public_key" class="select select-bordered w-full" onchange="this.form.submit()">
+                    <option value="">-- Select a node --</option>
+                    {% for node in nodes %}
+                    <option value="{{ node.public_key }}" {% if node.public_key == selected_public_key %}selected{% endif %}>
+                        {{ node.name or 'Unnamed' }} ({{ node.public_key[:8] }}...{{ node.public_key[-4:] }})
+                    </option>
+                    {% endfor %}
+                </select>
+            </div>
+            <button type="submit" class="btn btn-primary">Load Tags</button>
+        </form>
+    </div>
+</div>
+
+{% if selected_public_key and selected_node %}
+<!-- Selected Node Info -->
+<div class="card bg-base-100 shadow-xl mb-6">
+    <div class="card-body">
+        <div class="flex justify-between items-start">
+            <div class="flex items-start gap-3">
+                <span class="text-2xl" title="{{ selected_node.adv_type or 'Unknown' }}">{% if selected_node.adv_type and selected_node.adv_type|lower == 'chat' %}💬{% elif selected_node.adv_type and selected_node.adv_type|lower == 'repeater' %}📡{% elif selected_node.adv_type and selected_node.adv_type|lower == 'room' %}🪧{% else %}📍{% endif %}</span>
+                <div>
+                    <h2 class="card-title">{{ selected_node.name or 'Unnamed Node' }}</h2>
+                    <p class="text-sm opacity-70 font-mono">{{ selected_public_key }}</p>
+                </div>
+            </div>
+            <div class="flex gap-2">
+                {% if tags %}
+                <button class="btn btn-outline btn-sm" onclick="copyAllModal.showModal()">Copy All</button>
+                <button class="btn btn-outline btn-error btn-sm" onclick="deleteAllModal.showModal()">Delete All</button>
+                {% endif %}
+                <a href="/nodes/{{ selected_public_key }}" class="btn btn-ghost btn-sm">View Node</a>
+            </div>
+        </div>
+    </div>
+</div>
+
+<!-- Tags Table -->
+<div class="card bg-base-100 shadow-xl mb-6">
+    <div class="card-body">
+        <h2 class="card-title">Tags ({{ tags|length }})</h2>
+
+        {% if tags %}
+        <div class="overflow-x-auto">
+            <table class="table table-zebra">
+                <thead>
+                    <tr>
+                        <th>Key</th>
+                        <th>Value</th>
+                        <th>Type</th>
+                        <th>Updated</th>
+                        <th class="w-48">Actions</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {% for tag in tags %}
+                    <tr data-tag-key="{{ tag.key }}" data-tag-value="{{ tag.value or '' }}" data-tag-type="{{ tag.value_type }}">
+                        <td class="font-mono font-semibold">{{ tag.key }}</td>
+                        <td class="max-w-xs truncate" title="{{ tag.value or '' }}">{{ tag.value or '-' }}</td>
+                        <td>
+                            <span class="badge badge-ghost badge-sm">{{ tag.value_type }}</span>
+                        </td>
+                        <td class="text-sm opacity-70">{{ tag.updated_at[:10] if tag.updated_at else '-' }}</td>
+                        <td>
+                            <div class="flex gap-1">
+                                <button class="btn btn-ghost btn-xs btn-edit">
+                                    Edit
+                                </button>
+                                <button class="btn btn-ghost btn-xs btn-move">
+                                    Move
+                                </button>
+                                <button class="btn btn-ghost btn-xs text-error btn-delete">
+                                    Delete
+                                </button>
+                            </div>
+                        </td>
+                    </tr>
+                    {% endfor %}
+                </tbody>
+            </table>
+        </div>
+        {% else %}
+        <div class="text-center py-8 text-base-content/60">
+            <p>No tags found for this node.</p>
+            <p class="text-sm mt-2">Add a new tag below.</p>
+        </div>
+        {% endif %}
+    </div>
+</div>
+
+<!-- Add New Tag Form -->
+<div class="card bg-base-100 shadow-xl">
+    <div class="card-body">
+        <h2 class="card-title">Add New Tag</h2>
+        <form method="post" action="/a/node-tags" class="grid grid-cols-1 md:grid-cols-4 gap-4">
+            <input type="hidden" name="public_key" value="{{ selected_public_key }}">
+
+            <div class="form-control">
+                <label class="label">
+                    <span class="label-text">Key</span>
+                </label>
+                <input type="text" name="key" class="input input-bordered" placeholder="tag_name" required maxlength="100">
+            </div>
+
+            <div class="form-control">
+                <label class="label">
+                    <span class="label-text">Value</span>
+                </label>
+                <input type="text" name="value" class="input input-bordered" placeholder="tag value">
+            </div>
+
+            <div class="form-control">
+                <label class="label">
+                    <span class="label-text">Type</span>
+                </label>
+                <select name="value_type" class="select select-bordered">
+                    <option value="string">string</option>
+                    <option value="number">number</option>
+                    <option value="boolean">boolean</option>
+                                    </select>
+            </div>
+
+            <div class="form-control">
+                <label class="label">
+                    <span class="label-text">&nbsp;</span>
+                </label>
+                <button type="submit" class="btn btn-primary">Add Tag</button>
+            </div>
+        </form>
+    </div>
+</div>
+
+<!-- Edit Modal -->
+<dialog id="editModal" class="modal">
+    <div class="modal-box">
+        <h3 class="font-bold text-lg">Edit Tag</h3>
+        <form method="post" action="/a/node-tags/update" class="py-4">
+            <input type="hidden" name="public_key" value="{{ selected_public_key }}">
+            <input type="hidden" name="key" id="editKey">
+
+            <div class="form-control mb-4">
+                <label class="label">
+                    <span class="label-text">Key</span>
+                </label>
+                <input type="text" id="editKeyDisplay" class="input input-bordered" disabled>
+            </div>
+
+            <div class="form-control mb-4">
+                <label class="label">
+                    <span class="label-text">Value</span>
+                </label>
+                <input type="text" name="value" id="editValue" class="input input-bordered">
+            </div>
+
+            <div class="form-control mb-4">
+                <label class="label">
+                    <span class="label-text">Type</span>
+                </label>
+                <select name="value_type" id="editValueType" class="select select-bordered w-full">
+                    <option value="string">string</option>
+                    <option value="number">number</option>
+                    <option value="boolean">boolean</option>
+                                    </select>
+            </div>
+
+            <div class="modal-action">
+                <button type="button" class="btn" onclick="editModal.close()">Cancel</button>
+                <button type="submit" class="btn btn-primary">Save Changes</button>
+            </div>
+        </form>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+        <button>close</button>
+    </form>
+</dialog>
+
+<!-- Move Modal -->
+<dialog id="moveModal" class="modal">
+    <div class="modal-box">
+        <h3 class="font-bold text-lg">Move Tag to Another Node</h3>
+        <form method="post" action="/a/node-tags/move" class="py-4">
+            <input type="hidden" name="public_key" value="{{ selected_public_key }}">
+            <input type="hidden" name="key" id="moveKey">
+
+            <div class="form-control mb-4">
+                <label class="label">
+                    <span class="label-text">Tag Key</span>
+                </label>
+                <input type="text" id="moveKeyDisplay" class="input input-bordered" disabled>
+            </div>
+
+            <div class="form-control mb-4">
+                <label class="label">
+                    <span class="label-text">Destination Node</span>
+                </label>
+                <select name="new_public_key" id="moveDestination" class="select select-bordered w-full" required>
+                    <option value="">-- Select destination node --</option>
+                    {% for node in nodes %}
+                    {% if node.public_key != selected_public_key %}
+                    <option value="{{ node.public_key }}">
+                        {{ node.name or 'Unnamed' }} ({{ node.public_key[:8] }}...{{ node.public_key[-4:] }})
+                    </option>
+                    {% endif %}
+                    {% endfor %}
+                </select>
+            </div>
+
+            <div class="alert alert-warning mb-4">
+                <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+                </svg>
+                <span>This will move the tag from the current node to the destination node.</span>
+            </div>
+
+            <div class="modal-action">
+                <button type="button" class="btn" onclick="moveModal.close()">Cancel</button>
+                <button type="submit" class="btn btn-warning">Move Tag</button>
+            </div>
+        </form>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+        <button>close</button>
+    </form>
+</dialog>
+
+<!-- Delete Modal -->
+<dialog id="deleteModal" class="modal">
+    <div class="modal-box">
+        <h3 class="font-bold text-lg">Delete Tag</h3>
+        <form method="post" action="/a/node-tags/delete" class="py-4">
+            <input type="hidden" name="public_key" value="{{ selected_public_key }}">
+            <input type="hidden" name="key" id="deleteKey">
+
+            <p class="py-4">Are you sure you want to delete the tag "<span id="deleteKeyDisplay" class="font-mono font-semibold"></span>"?</p>
+
+            <div class="alert alert-error mb-4">
+                <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+                </svg>
+                <span>This action cannot be undone.</span>
+            </div>
+
+            <div class="modal-action">
+                <button type="button" class="btn" onclick="deleteModal.close()">Cancel</button>
+                <button type="submit" class="btn btn-error">Delete</button>
+            </div>
+        </form>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+        <button>close</button>
+    </form>
+</dialog>
+
+<!-- Copy All Tags Modal -->
+<dialog id="copyAllModal" class="modal">
+    <div class="modal-box">
+        <h3 class="font-bold text-lg">Copy All Tags to Another Node</h3>
+        <form method="post" action="/a/node-tags/copy-all" class="py-4">
+            <input type="hidden" name="public_key" value="{{ selected_public_key }}">
+
+            <p class="mb-4">Copy all {{ tags|length }} tag(s) from <strong>{{ selected_node.name or 'Unnamed' }}</strong> to another node.</p>
+
+            <div class="form-control mb-4">
+                <label class="label">
+                    <span class="label-text">Destination Node</span>
+                </label>
+                <select name="dest_public_key" class="select select-bordered w-full" required>
+                    <option value="">-- Select destination node --</option>
+                    {% for node in nodes %}
+                    {% if node.public_key != selected_public_key %}
+                    <option value="{{ node.public_key }}">
+                        {{ node.name or 'Unnamed' }} ({{ node.public_key[:8] }}...{{ node.public_key[-4:] }})
+                    </option>
+                    {% endif %}
+                    {% endfor %}
+                </select>
+            </div>
+
+            <div class="alert alert-info mb-4">
+                <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+                </svg>
+                <span>Tags that already exist on the destination node will be skipped. Original tags remain on this node.</span>
+            </div>
+
+            <div class="modal-action">
+                <button type="button" class="btn" onclick="copyAllModal.close()">Cancel</button>
+                <button type="submit" class="btn btn-primary">Copy Tags</button>
+            </div>
+        </form>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+        <button>close</button>
+    </form>
+</dialog>
+
+<!-- Delete All Tags Modal -->
+<dialog id="deleteAllModal" class="modal">
+    <div class="modal-box">
+        <h3 class="font-bold text-lg">Delete All Tags</h3>
+        <form method="post" action="/a/node-tags/delete-all" class="py-4">
+            <input type="hidden" name="public_key" value="{{ selected_public_key }}">
+
+            <p class="mb-4">Are you sure you want to delete all {{ tags|length }} tag(s) from <strong>{{ selected_node.name or 'Unnamed' }}</strong>?</p>
+
+            <div class="alert alert-error mb-4">
+                <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+                </svg>
+                <span>This action cannot be undone. All tags will be permanently deleted.</span>
+            </div>
+
+            <div class="modal-action">
+                <button type="button" class="btn" onclick="deleteAllModal.close()">Cancel</button>
+                <button type="submit" class="btn btn-error">Delete All Tags</button>
+            </div>
+        </form>
+    </div>
+    <form method="dialog" class="modal-backdrop">
+        <button>close</button>
+    </form>
+</dialog>
+
+{% elif selected_public_key and not selected_node %}
+<div class="alert alert-warning">
+    <svg xmlns="http://www.w3.org/2000/svg" class="stroke-current shrink-0 h-6 w-6" fill="none" viewBox="0 0 24 24">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+    </svg>
+    <span>Node not found: {{ selected_public_key }}</span>
+</div>
+{% else %}
+<div class="card bg-base-100 shadow-xl">
+    <div class="card-body text-center py-12">
+        <svg xmlns="http://www.w3.org/2000/svg" class="h-16 w-16 mx-auto mb-4 opacity-30" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M7 7h.01M7 3h5c.512 0 1.024.195 1.414.586l7 7a2 2 0 010 2.828l-7 7a2 2 0 01-2.828 0l-7-7A2 2 0 013 12V7a4 4 0 014-4z" />
+        </svg>
+        <h2 class="text-xl font-semibold mb-2">Select a Node</h2>
+        <p class="opacity-70">Choose a node from the dropdown above to view and manage its tags.</p>
+    </div>
+</div>
+{% endif %}
+{% endblock %}
+
+{% block extra_scripts %}
+<script>
+// Use event delegation to handle button clicks safely
+document.addEventListener('DOMContentLoaded', function() {
+    // Edit button handler
+    document.querySelectorAll('.btn-edit').forEach(function(btn) {
+        btn.addEventListener('click', function() {
+            var row = this.closest('tr');
+            var key = row.dataset.tagKey;
+            var value = row.dataset.tagValue;
+            var valueType = row.dataset.tagType;
+            document.getElementById('editKey').value = key;
+            document.getElementById('editKeyDisplay').value = key;
+            document.getElementById('editValue').value = value;
+            document.getElementById('editValueType').value = valueType;
+            editModal.showModal();
+        });
+    });
+
+    // Move button handler
+    document.querySelectorAll('.btn-move').forEach(function(btn) {
+        btn.addEventListener('click', function() {
+            var row = this.closest('tr');
+            var key = row.dataset.tagKey;
+            document.getElementById('moveKey').value = key;
+            document.getElementById('moveKeyDisplay').value = key;
+            document.getElementById('moveDestination').selectedIndex = 0;
+            moveModal.showModal();
+        });
+    });
+
+    // Delete button handler
+    document.querySelectorAll('.btn-delete').forEach(function(btn) {
+        btn.addEventListener('click', function() {
+            var row = this.closest('tr');
+            var key = row.dataset.tagKey;
+            document.getElementById('deleteKey').value = key;
+            document.getElementById('deleteKeyDisplay').textContent = key;
+            deleteModal.showModal();
+        });
+    });
+});
+</script>
+{% endblock %}
@@ -114,7 +114,7 @@
                <a href="{{ network_contact_github }}" target="_blank" rel="noopener noreferrer" class="link link-hover">GitHub</a>
                {% endif %}
            </p>
-            <p class="text-xs opacity-50 mt-2">Powered by <a href="https://github.com/ipnet-mesh/meshcore-hub" target="_blank" rel="noopener noreferrer" class="link link-hover">MeshCore Hub</a> {{ version }}</p>
+            <p class="text-xs opacity-50 mt-2">{% if admin_enabled %}<a href="/a/" class="link link-hover">Admin</a> | {% endif %}Powered by <a href="https://github.com/ipnet-mesh/meshcore-hub" target="_blank" rel="noopener noreferrer" class="link link-hover">MeshCore Hub</a> {{ version }}</p>
        </aside>
    </footer>

@@ -97,9 +97,10 @@

        <div class="grid grid-cols-1 {% if ns_map.lat and ns_map.lon %}lg:grid-cols-2{% endif %} gap-6 mt-6">
            <!-- Tags -->
-            {% if node.tags %}
+            {% if node.tags or (admin_enabled and is_authenticated) %}
            <div>
                <h3 class="font-semibold opacity-70 mb-2">Tags</h3>
+                {% if node.tags %}
                <div class="overflow-x-auto">
                    <table class="table table-compact w-full">
                        <thead>
@@ -120,6 +121,14 @@
                        </tbody>
                    </table>
                </div>
+                {% else %}
+                <p class="text-sm opacity-70 mb-2">No tags defined.</p>
+                {% endif %}
+                {% if admin_enabled and is_authenticated %}
+                <div class="mt-3">
+                    <a href="/a/node-tags?public_key={{ node.public_key }}" class="btn btn-sm btn-outline">{% if node.tags %}Edit Tags{% else %}Add Tags{% endif %}</a>
+                </div>
+                {% endif %}
            </div>
            {% endif %}

@@ -158,3 +158,166 @@ class TestNodeTags:
            headers={"Authorization": "Bearer test-admin-key"},
        )
        assert response.status_code == 201  # Created
+
+
+class TestMoveNodeTag:
+    """Tests for PUT /nodes/{public_key}/tags/{key}/move endpoint."""
+
+    # 64-character public key for testing
+    DEST_PUBLIC_KEY = "xyz789xyz789xyz789xyz789xyz789xyabc123abc123abc123abc123abc123ab"
+
+    def test_move_node_tag_success(
+        self, client_no_auth, api_db_session, sample_node, sample_node_tag
+    ):
+        """Test successfully moving a tag to another node."""
+        from meshcore_hub.common.models import Node
+        from datetime import datetime, timezone
+
+        # Create a second node with 64-char public key
+        second_node = Node(
+            public_key=self.DEST_PUBLIC_KEY,
+            name="Second Node",
+            adv_type="CHAT",
+            first_seen=datetime.now(timezone.utc),
+        )
+        api_db_session.add(second_node)
+        api_db_session.commit()
+
+        response = client_no_auth.put(
+            f"/api/v1/nodes/{sample_node.public_key}/tags/{sample_node_tag.key}/move",
+            json={"new_public_key": second_node.public_key},
+        )
+        assert response.status_code == 200
+        data = response.json()
+        assert data["key"] == sample_node_tag.key
+        assert data["value"] == sample_node_tag.value
+
+        # Verify tag is no longer on original node
+        response = client_no_auth.get(
+            f"/api/v1/nodes/{sample_node.public_key}/tags/{sample_node_tag.key}"
+        )
+        assert response.status_code == 404
+
+        # Verify tag is now on new node
+        response = client_no_auth.get(
+            f"/api/v1/nodes/{second_node.public_key}/tags/{sample_node_tag.key}"
+        )
+        assert response.status_code == 200
+
+    def test_move_node_tag_source_not_found(self, client_no_auth):
+        """Test moving a tag from a non-existent node."""
+        response = client_no_auth.put(
+            "/api/v1/nodes/nonexistent123/tags/somekey/move",
+            json={"new_public_key": self.DEST_PUBLIC_KEY},
+        )
+        assert response.status_code == 404
+        assert "Source node not found" in response.json()["detail"]
+
+    def test_move_node_tag_tag_not_found(self, client_no_auth, sample_node):
+        """Test moving a non-existent tag."""
+        response = client_no_auth.put(
+            f"/api/v1/nodes/{sample_node.public_key}/tags/nonexistent/move",
+            json={"new_public_key": self.DEST_PUBLIC_KEY},
+        )
+        assert response.status_code == 404
+        assert "Tag not found" in response.json()["detail"]
+
+    def test_move_node_tag_dest_not_found(
+        self, client_no_auth, sample_node, sample_node_tag
+    ):
+        """Test moving a tag to a non-existent destination node."""
+        # 64-character nonexistent public key
+        nonexistent_key = (
+            "1111111111111111111111111111111122222222222222222222222222222222"
+        )
+        response = client_no_auth.put(
+            f"/api/v1/nodes/{sample_node.public_key}/tags/{sample_node_tag.key}/move",
+            json={"new_public_key": nonexistent_key},
+        )
+        assert response.status_code == 404
+        assert "Destination node not found" in response.json()["detail"]
+
+    def test_move_node_tag_conflict(
+        self, client_no_auth, api_db_session, sample_node, sample_node_tag
+    ):
+        """Test moving a tag when destination already has that key."""
+        from meshcore_hub.common.models import Node, NodeTag
+        from datetime import datetime, timezone
+
+        # Create second node with same tag key
+        second_node = Node(
+            public_key=self.DEST_PUBLIC_KEY,
+            name="Second Node",
+            adv_type="CHAT",
+            first_seen=datetime.now(timezone.utc),
+        )
+        api_db_session.add(second_node)
+        api_db_session.commit()
+
+        # Add the same tag key to second node
+        existing_tag = NodeTag(
+            node_id=second_node.id,
+            key=sample_node_tag.key,  # Same key
+            value="different value",
+        )
+        api_db_session.add(existing_tag)
+        api_db_session.commit()
+
+        response = client_no_auth.put(
+            f"/api/v1/nodes/{sample_node.public_key}/tags/{sample_node_tag.key}/move",
+            json={"new_public_key": second_node.public_key},
+        )
+        assert response.status_code == 409
+        assert "already exists on destination" in response.json()["detail"]
+
+    def test_move_node_tag_requires_admin(
+        self, client_with_auth, sample_node, sample_node_tag
+    ):
+        """Test that move operation requires admin auth."""
+        # Without auth
+        response = client_with_auth.put(
+            f"/api/v1/nodes/{sample_node.public_key}/tags/{sample_node_tag.key}/move",
+            json={"new_public_key": self.DEST_PUBLIC_KEY},
+        )
+        assert response.status_code == 401
+
+        # With read key (not admin)
+        response = client_with_auth.put(
+            f"/api/v1/nodes/{sample_node.public_key}/tags/{sample_node_tag.key}/move",
+            json={"new_public_key": self.DEST_PUBLIC_KEY},
+            headers={"Authorization": "Bearer test-read-key"},
+        )
+        assert response.status_code == 403
+
+    def test_move_node_tag_same_node(self, client_no_auth, api_db_session):
+        """Test moving a tag to the same node returns 400."""
+        from datetime import datetime, timezone
+
+        from meshcore_hub.common.models import Node, NodeTag
+
+        # Create node with 64-char public key
+        full_key = "abc123def456abc123def456abc123deabc123def456abc123def456abc123de"
+        node = Node(
+            public_key=full_key,
+            name="Test Node 64",
+            adv_type="REPEATER",
+            first_seen=datetime.now(timezone.utc),
+        )
+        api_db_session.add(node)
+        api_db_session.commit()
+
+        # Create tag
+        tag = NodeTag(
+            node_id=node.id,
+            key="test_tag",
+            value="test_value",
+        )
+        api_db_session.add(tag)
+        api_db_session.commit()
+
+        response = client_no_auth.put(
+            f"/api/v1/nodes/{full_key}/tags/test_tag/move",
+            json={"new_public_key": full_key},
+        )
+        assert response.status_code == 400
+        assert "same" in response.json()["detail"].lower()
@@ -99,7 +99,7 @@ class TestLoadTagsFile:
        """Test loading file with full format (value and type)."""
        data = {
            "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef": {
-                "location": {"value": "52.0,1.0", "type": "coordinate"},
+                "is_active": {"value": "true", "type": "boolean"},
                "altitude": {"value": "150", "type": "number"},
            }
        }
@@ -110,7 +110,7 @@ class TestLoadTagsFile:

            result = load_tags_file(f.name)
            key = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
-            assert result[key]["location"]["type"] == "coordinate"
+            assert result[key]["is_active"]["type"] == "boolean"
            assert result[key]["altitude"]["type"] == "number"

        Path(f.name).unlink()
@@ -55,14 +55,14 @@ class TestNodeModel:
    def test_node_tags_relationship(self, db_session) -> None:
        """Test node-tag relationship."""
        node = Node(public_key="b" * 64, name="Tagged Node")
-        tag = NodeTag(key="location", value="51.5,-0.1", value_type="coordinate")
+        tag = NodeTag(key="altitude", value="150", value_type="number")
        node.tags.append(tag)

        db_session.add(node)
        db_session.commit()

        assert len(node.tags) == 1
-        assert node.tags[0].key == "location"
+        assert node.tags[0].key == "altitude"


 class TestMessageModel:
@@ -255,6 +255,18 @@ class MockHttpClient:
        key = f"POST:{path}"
        return self._create_response(key)

+    async def put(
+        self, path: str, json: dict | None = None, params: dict | None = None
+    ) -> Response:
+        """Mock PUT request."""
+        key = f"PUT:{path}"
+        return self._create_response(key)
+
+    async def delete(self, path: str, params: dict | None = None) -> Response:
+        """Mock DELETE request."""
+        key = f"DELETE:{path}"
+        return self._create_response(key)
+
    async def aclose(self) -> None:
        """Mock close method."""
        pass
@@ -0,0 +1,426 @@
+"""Tests for admin web routes."""
+
+from typing import Any
+
+import pytest
+from fastapi.testclient import TestClient
+
+from meshcore_hub.web.app import create_app
+
+from .conftest import MockHttpClient
+
+
+@pytest.fixture
+def mock_http_client_admin() -> MockHttpClient:
+    """Create a mock HTTP client for admin tests."""
+    client = MockHttpClient()
+
+    # Mock the nodes API response for admin dropdown
+    client.set_response(
+        "GET",
+        "/api/v1/nodes",
+        200,
+        {
+            "items": [
+                {
+                    "public_key": "abc123def456abc123def456abc123de",
+                    "name": "Node One",
+                    "adv_type": "REPEATER",
+                    "first_seen": "2024-01-01T00:00:00Z",
+                    "last_seen": "2024-01-01T12:00:00Z",
+                    "created_at": "2024-01-01T00:00:00Z",
+                    "updated_at": "2024-01-01T00:00:00Z",
+                    "tags": [],
+                },
+                {
+                    "public_key": "xyz789xyz789xyz789xyz789xyz789xy",
+                    "name": "Node Two",
+                    "adv_type": "CHAT",
+                    "first_seen": "2024-01-01T00:00:00Z",
+                    "last_seen": "2024-01-01T11:00:00Z",
+                    "created_at": "2024-01-01T00:00:00Z",
+                    "updated_at": "2024-01-01T00:00:00Z",
+                    "tags": [],
+                },
+            ],
+            "total": 2,
+            "limit": 100,
+            "offset": 0,
+        },
+    )
+
+    # Mock node tags response
+    client.set_response(
+        "GET",
+        "/api/v1/nodes/abc123def456abc123def456abc123de/tags",
+        200,
+        [
+            {
+                "key": "environment",
+                "value": "production",
+                "value_type": "string",
+                "created_at": "2024-01-01T00:00:00Z",
+                "updated_at": "2024-01-01T00:00:00Z",
+            },
+            {
+                "key": "location",
+                "value": "building-a",
+                "value_type": "string",
+                "created_at": "2024-01-01T00:00:00Z",
+                "updated_at": "2024-01-01T00:00:00Z",
+            },
+        ],
+    )
+
+    # Mock create tag response
+    client.set_response(
+        "POST",
+        "/api/v1/nodes/abc123def456abc123def456abc123de/tags",
+        201,
+        {
+            "key": "new_tag",
+            "value": "new_value",
+            "value_type": "string",
+            "created_at": "2024-01-01T00:00:00Z",
+            "updated_at": "2024-01-01T00:00:00Z",
+        },
+    )
+
+    # Mock update tag response
+    client.set_response(
+        "PUT",
+        "/api/v1/nodes/abc123def456abc123def456abc123de/tags/environment",
+        200,
+        {
+            "key": "environment",
+            "value": "staging",
+            "value_type": "string",
+            "created_at": "2024-01-01T00:00:00Z",
+            "updated_at": "2024-01-01T12:00:00Z",
+        },
+    )
+
+    # Mock move tag response
+    client.set_response(
+        "PUT",
+        "/api/v1/nodes/abc123def456abc123def456abc123de/tags/environment/move",
+        200,
+        {
+            "key": "environment",
+            "value": "production",
+            "value_type": "string",
+            "created_at": "2024-01-01T00:00:00Z",
+            "updated_at": "2024-01-01T12:00:00Z",
+        },
+    )
+
+    # Mock delete tag response
+    client.set_response(
+        "DELETE",
+        "/api/v1/nodes/abc123def456abc123def456abc123de/tags/environment",
+        204,
+        None,
+    )
+
+    return client
+
+
+@pytest.fixture
+def admin_app(mock_http_client_admin: MockHttpClient) -> Any:
+    """Create a web app with admin enabled."""
+    app = create_app(
+        api_url="http://localhost:8000",
+        api_key="test-api-key",
+        network_name="Test Network",
+        network_city="Test City",
+        network_country="Test Country",
+        network_radio_config="Test Radio Config",
+        network_contact_email="test@example.com",
+        admin_enabled=True,
+    )
+
+    app.state.http_client = mock_http_client_admin
+
+    return app
+
+
+@pytest.fixture
+def admin_app_disabled(mock_http_client_admin: MockHttpClient) -> Any:
+    """Create a web app with admin disabled."""
+    app = create_app(
+        api_url="http://localhost:8000",
+        api_key="test-api-key",
+        network_name="Test Network",
+        network_city="Test City",
+        network_country="Test Country",
+        network_radio_config="Test Radio Config",
+        network_contact_email="test@example.com",
+        admin_enabled=False,
+    )
+
+    app.state.http_client = mock_http_client_admin
+
+    return app
+
+
+@pytest.fixture
+def auth_headers() -> dict:
+    """Authentication headers for admin requests."""
+    return {
+        "X-Forwarded-User": "test-user-id",
+        "X-Forwarded-Email": "test@example.com",
+        "X-Forwarded-Preferred-Username": "testuser",
+    }
+
+
+@pytest.fixture
+def admin_client(admin_app: Any, mock_http_client_admin: MockHttpClient) -> TestClient:
+    """Create a test client with admin enabled."""
+    admin_app.state.http_client = mock_http_client_admin
+    return TestClient(admin_app, raise_server_exceptions=True)
+
+
+@pytest.fixture
+def admin_client_disabled(
+    admin_app_disabled: Any, mock_http_client_admin: MockHttpClient
+) -> TestClient:
+    """Create a test client with admin disabled."""
+    admin_app_disabled.state.http_client = mock_http_client_admin
+    return TestClient(admin_app_disabled, raise_server_exceptions=True)
+
+
+class TestAdminHome:
+    """Tests for admin home page."""
+
+    def test_admin_home_enabled(self, admin_client, auth_headers):
+        """Test admin home page when enabled."""
+        response = admin_client.get("/a/", headers=auth_headers)
+        assert response.status_code == 200
+        assert "Admin" in response.text
+        assert "Node Tags" in response.text
+
+    def test_admin_home_disabled(self, admin_client_disabled, auth_headers):
+        """Test admin home page when disabled."""
+        response = admin_client_disabled.get("/a/", headers=auth_headers)
+        assert response.status_code == 404
+
+    def test_admin_home_unauthenticated(self, admin_client):
+        """Test admin home page without authentication."""
+        response = admin_client.get("/a/")
+        assert response.status_code == 403
+        assert "Access Denied" in response.text
+
+
+class TestAdminNodeTags:
+    """Tests for admin node tags page."""
+
+    def test_node_tags_page_no_selection(self, admin_client, auth_headers):
+        """Test node tags page without selecting a node."""
+        response = admin_client.get("/a/node-tags", headers=auth_headers)
+        assert response.status_code == 200
+        assert "Node Tags" in response.text
+        assert "Select a Node" in response.text
+        # Should show node dropdown
+        assert "Node One" in response.text
+        assert "Node Two" in response.text
+
+    def test_node_tags_page_with_selection(self, admin_client, auth_headers):
+        """Test node tags page with a node selected."""
+        response = admin_client.get(
+            "/a/node-tags?public_key=abc123def456abc123def456abc123de",
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+        assert "Node Tags" in response.text
+        # Should show the selected node's tags
+        assert "environment" in response.text
+        assert "production" in response.text
+        assert "location" in response.text
+        assert "building-a" in response.text
+
+    def test_node_tags_page_disabled(self, admin_client_disabled, auth_headers):
+        """Test node tags page when admin is disabled."""
+        response = admin_client_disabled.get("/a/node-tags", headers=auth_headers)
+        assert response.status_code == 404
+
+    def test_node_tags_page_with_message(self, admin_client, auth_headers):
+        """Test node tags page displays success message."""
+        response = admin_client.get(
+            "/a/node-tags?public_key=abc123def456abc123def456abc123de"
+            "&message=Tag%20created%20successfully",
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+        assert "Tag created successfully" in response.text
+
+    def test_node_tags_page_with_error(self, admin_client, auth_headers):
+        """Test node tags page displays error message."""
+        response = admin_client.get(
+            "/a/node-tags?public_key=abc123def456abc123def456abc123de"
+            "&error=Tag%20already%20exists",
+            headers=auth_headers,
+        )
+        assert response.status_code == 200
+        assert "Tag already exists" in response.text
+
+    def test_node_tags_page_unauthenticated(self, admin_client):
+        """Test node tags page without authentication."""
+        response = admin_client.get("/a/node-tags")
+        assert response.status_code == 403
+        assert "Access Denied" in response.text
+
+
+class TestAdminCreateTag:
+    """Tests for creating node tags."""
+
+    def test_create_tag_success(self, admin_client, auth_headers):
+        """Test creating a new tag."""
+        response = admin_client.post(
+            "/a/node-tags",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "new_tag",
+                "value": "new_value",
+                "value_type": "string",
+            },
+            headers=auth_headers,
+            follow_redirects=False,
+        )
+        assert response.status_code == 303
+        assert "message=" in response.headers["location"]
+        assert "created" in response.headers["location"]
+
+    def test_create_tag_disabled(self, admin_client_disabled, auth_headers):
+        """Test creating tag when admin is disabled."""
+        response = admin_client_disabled.post(
+            "/a/node-tags",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "new_tag",
+                "value": "new_value",
+                "value_type": "string",
+            },
+            headers=auth_headers,
+            follow_redirects=False,
+        )
+        assert response.status_code == 404
+
+    def test_create_tag_unauthenticated(self, admin_client):
+        """Test creating tag without authentication."""
+        response = admin_client.post(
+            "/a/node-tags",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "new_tag",
+                "value": "new_value",
+                "value_type": "string",
+            },
+            follow_redirects=False,
+        )
+        assert response.status_code == 403
+
+
+class TestAdminUpdateTag:
+    """Tests for updating node tags."""
+
+    def test_update_tag_success(self, admin_client, auth_headers):
+        """Test updating a tag."""
+        response = admin_client.post(
+            "/a/node-tags/update",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "environment",
+                "value": "staging",
+                "value_type": "string",
+            },
+            headers=auth_headers,
+            follow_redirects=False,
+        )
+        assert response.status_code == 303
+        assert "message=" in response.headers["location"]
+        assert "updated" in response.headers["location"]
+
+    def test_update_tag_not_found(
+        self, admin_app, mock_http_client_admin: MockHttpClient, auth_headers
+    ):
+        """Test updating a non-existent tag returns error."""
+        # Set up 404 response for this specific tag
+        mock_http_client_admin.set_response(
+            "PUT",
+            "/api/v1/nodes/abc123def456abc123def456abc123de/tags/nonexistent",
+            404,
+            {"detail": "Tag not found"},
+        )
+        admin_app.state.http_client = mock_http_client_admin
+        client = TestClient(admin_app, raise_server_exceptions=True)
+
+        response = client.post(
+            "/a/node-tags/update",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "nonexistent",
+                "value": "value",
+                "value_type": "string",
+            },
+            headers=auth_headers,
+            follow_redirects=False,
+        )
+        assert response.status_code == 303
+        assert "error=" in response.headers["location"]
+        assert "not+found" in response.headers["location"].lower()
+
+    def test_update_tag_disabled(self, admin_client_disabled, auth_headers):
+        """Test updating tag when admin is disabled."""
+        response = admin_client_disabled.post(
+            "/a/node-tags/update",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "environment",
+                "value": "staging",
+                "value_type": "string",
+            },
+            headers=auth_headers,
+            follow_redirects=False,
+        )
+        assert response.status_code == 404
+
+
+class TestAdminMoveTag:
+    """Tests for moving node tags."""
+
+    def test_move_tag_success(self, admin_client, auth_headers):
+        """Test moving a tag to another node."""
+        response = admin_client.post(
+            "/a/node-tags/move",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "environment",
+                "new_public_key": "xyz789xyz789xyz789xyz789xyz789xy",
+            },
+            headers=auth_headers,
+            follow_redirects=False,
+        )
+        assert response.status_code == 303
+        # Should redirect to destination node
+        assert "xyz789xyz789xyz789xyz789xyz789xy" in response.headers["location"]
+        assert "message=" in response.headers["location"]
+        assert "moved" in response.headers["location"]
+
+
+class TestAdminDeleteTag:
+    """Tests for deleting node tags."""
+
+    def test_delete_tag_success(self, admin_client, auth_headers):
+        """Test deleting a tag."""
+        response = admin_client.post(
+            "/a/node-tags/delete",
+            data={
+                "public_key": "abc123def456abc123def456abc123de",
+                "key": "environment",
+            },
+            headers=auth_headers,
+            follow_redirects=False,
+        )
+        assert response.status_code == 303
+        assert "message=" in response.headers["location"]
+        assert "deleted" in response.headers["location"]
Author	SHA1	Message	Date
Louis King	20d75fe041	Add bulk copy and delete all tags for node replacement workflow When replacing a node device, users can now: - Copy All: Copy all tags to a new node (skips existing tags) - Delete All: Remove all tags from a node after migration New API endpoints: - POST /api/v1/nodes/{pk}/tags/copy-to/{dest_pk} - DELETE /api/v1/nodes/{pk}/tags Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-11 14:46:51 +00:00
Louis King	307f3935e0	Add access denied page for unauthenticated admin access When users try to access /a/ without valid OAuth2Proxy headers (e.g., GitHub account not in org), they now see a friendly 403 page instead of a 500 error. Added authentication checks to all admin routes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-01-11 13:34:03 +00:00
Louis King	6901bafb02	Tidying Tag Editor layout	2026-01-11 13:13:22 +00:00
JingleManSweep	e595dc2b27	Merge pull request #63 from ipnet-mesh/claude/admin-node-tags-interface-pHbKm Add admin interface for managing node tags	2026-01-11 12:51:56 +00:00
Louis King	ed2cf09ff3	Improve admin UI and remove unused coordinate tag type - Replace node type badge with icon in admin tag editor - Add Edit/Add Tags button on node detail page (when admin enabled and authenticated) - Remove automatic seed container startup to prevent overwriting user changes - Remove unused 'coordinate' value type from node tags (only string, number, boolean remain)	2026-01-11 12:49:34 +00:00
Claude	bec736a894	Sort node dropdown alphabetically in admin interface Nodes in the dropdown are now sorted alphabetically by name, with unnamed nodes appearing at the end.	2026-01-11 12:01:11 +00:00
Claude	1457360703	Use API_ADMIN_KEY for web service to enable admin operations The web admin interface needs write permissions to create, update, move, and delete node tags. Changed to use API_ADMIN_KEY with fallback to API_READ_KEY if admin key is not configured.	2026-01-11 11:55:15 +00:00
Claude	d8a0f2abb8	Fix security vulnerabilities and add validation - Fix XSS vulnerability by using data attributes instead of inline onclick handlers in node_tags.html template - Fix URL injection by using urlencode for all redirect URL parameters - Add validation to reject moves where source and destination nodes are the same (returns 400 Bad Request) - Add error handling for response.json() calls that may fail - Add missing test coverage for update endpoint error scenarios	2026-01-11 11:51:57 +00:00
Claude	367f838371	Add admin interface for managing node tags Implement CRUD operations for NodeTags in the admin interface: - Add NodeTagMove schema for moving tags between nodes - Add PUT /nodes/{public_key}/tags/{key}/move API endpoint - Add web routes at /a/node-tags for tag management - Create admin templates with node selector and tag management UI - Support editing, adding, moving, and deleting tags via API calls - Add comprehensive tests for new functionality The interface allows selecting a node from a dropdown, viewing its tags, and performing all CRUD operations including moving a tag to a different node without having to delete and recreate it.	2026-01-11 01:34:07 +00:00