leszek3737 · leszek3737 · Apr 7, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -105,6 +105,11 @@ taskkill //PID <pid> //F
 | `/api/a2a/discover` | POST | Discover A2A agent at URL |
 | `/api/a2a/send` | POST | Send task to external A2A agent |
 | `/api/a2a/tasks/{id}/status` | GET | Check external A2A task status |
+| `/api/approvals/{id}/approve` | POST | Approve (body: `{totp_code?}`) |
+| `/api/approvals/totp/setup` | POST | Generate TOTP secret + URI |
+| `/api/approvals/totp/confirm` | POST | Confirm TOTP enrollment |
+| `/api/approvals/totp/status` | GET | Check TOTP enrollment status |
+| `/api/approvals/totp` | DELETE | Revoke TOTP enrollment |
 
 ## Architecture Notes
 - **Don't touch `librefang-cli`** — user is actively building the interactive CLI

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -136,6 +136,9 @@ rsa = "0.9"
 rand = "0.10"
 zeroize = { version = "1", features = ["derive"] }
 
+# TOTP
+totp-rs = { version = "5", features = ["gen_secret", "otpauth", "qr"] }
+
 # JWT validation
 jsonwebtoken = "10"
 

diff --git a/crates/librefang-api/Cargo.toml b/crates/librefang-api/Cargo.toml
@@ -28,6 +28,7 @@ axum = { workspace = true }
 tower = { workspace = true }
 tower-http = { workspace = true }
 chrono = { workspace = true }
+chrono-tz = { workspace = true }
 uuid = { workspace = true }
 futures = { workspace = true }
 governor = { workspace = true }

diff --git a/crates/librefang-api/dashboard/src/api.ts b/crates/librefang-api/dashboard/src/api.ts
@@ -283,6 +283,7 @@ export interface ScheduleItem {
   id: string;
   name?: string;
   cron?: string;
+  tz?: string | null;
   description?: string;
   message?: string;
   enabled?: boolean;
@@ -1253,6 +1254,7 @@ export async function listSchedules(): Promise<ScheduleItem[]> {
 export async function createSchedule(payload: {
   name: string;
   cron: string;
+  tz?: string;
   agent_id?: string;
   workflow_id?: string;
   message?: string;
@@ -1267,6 +1269,7 @@ export async function updateSchedule(
     enabled?: boolean;
     name?: string;
     cron?: string;
+    tz?: string;
     agent_id?: string;
     message?: string;
   }
@@ -1478,8 +1481,49 @@ export async function listApprovals(): Promise<ApprovalItem[]> {
   return data.approvals ?? [];
 }
 
-export async function approveApproval(id: string): Promise<ApiActionResponse> {
-  return post<ApiActionResponse>(`/api/approvals/${encodeURIComponent(id)}/approve`, {});
+export async function approveApproval(id: string, totpCode?: string): Promise<ApiActionResponse> {
+  const body = totpCode ? { totp_code: totpCode } : {};
+  return post<ApiActionResponse>(`/api/approvals/${encodeURIComponent(id)}/approve`, body);
+}
+
+// ── TOTP second-factor management ──
+
+export interface TotpSetupResponse {
+  otpauth_uri: string;
+  secret: string;
+  qr_code: string | null;
+  recovery_codes: string[];
+  message: string;
+}
+
+export interface TotpStatusResponse {
+  enrolled: boolean;
+  confirmed: boolean;
+  enforced: boolean;
+  remaining_recovery_codes: number;
+}
+
+export async function totpSetup(currentCode?: string): Promise<TotpSetupResponse> {
+  const body = currentCode ? { current_code: currentCode } : {};
+  return post<TotpSetupResponse>("/api/approvals/totp/setup", body);
+}
+
+export async function totpConfirm(code: string): Promise<ApiActionResponse> {
+  return post<ApiActionResponse>("/api/approvals/totp/confirm", { code });
+}
+
+export async function totpStatus(): Promise<TotpStatusResponse> {
+  return get<TotpStatusResponse>("/api/approvals/totp/status");
+}
+
+export async function totpRevoke(code: string): Promise<ApiActionResponse> {
+  const response = await fetch("/api/approvals/totp/revoke", {
+    method: "POST",
+    headers: buildHeaders({ "Content-Type": "application/json" }),
+    body: JSON.stringify({ code }),
+  });
+  if (!response.ok) throw await parseError(response);
+  return response.json();
 }
 
 export async function rejectApproval(id: string): Promise<ApiActionResponse> {

diff --git a/crates/librefang-api/dashboard/src/components/NotificationCenter.tsx b/crates/librefang-api/dashboard/src/components/NotificationCenter.tsx
@@ -1,7 +1,7 @@
 import { useState } from "react";
 import { useQuery, useQueryClient } from "@tanstack/react-query";
 import { Bell, Check, X, ExternalLink } from "lucide-react";
-import { fetchApprovalCount, listApprovals, approveApproval, rejectApproval } from "../api";
+import { fetchApprovalCount, listApprovals, approveApproval, rejectApproval, totpStatus } from "../api";
 import { useTranslation } from "react-i18next";
 import { useUIStore } from "../lib/store";
 import { useNavigate } from "@tanstack/react-router";
@@ -26,12 +26,26 @@ export function NotificationCenter() {
     refetchInterval: open ? 5000 : false,
   });
 
+  const totpQuery = useQuery({
+    queryKey: ["totp", "status"],
+    queryFn: totpStatus,
+    staleTime: 60_000,
+  });
+  const totpEnforced = totpQuery.data?.enforced ?? false;
+
   const pendingCount = countQuery.data ?? 0;
   const pendingItems = (listQuery.data ?? []).filter(
     (a) => !a.status || a.status === "pending"
   );
 
   const handleAction = async (id: string, action: "approve" | "reject") => {
+    // When TOTP is enforced, redirect to Approvals page for approve
+    if (action === "approve" && totpEnforced) {
+      setOpen(false);
+      navigate({ to: "/approvals" });
+      addToast(t("approvals.totpRequired", "TOTP code required. Use the Approvals page."), "info");
+      return;
+    }
     try {
       if (action === "approve") await approveApproval(id);
       else await rejectApproval(id);