This UI is for product owner / platform owner scope. It is not the future organization admin panel and must not expose full internal mesh topology to organization users.

Architecture boundary:

WEB is HTTP/HTTPS ingress and presentation.
Cluster configuration is reached through the panel service gateway; the farm transport behind it remains QUIC fabric.
PostgreSQL remains the source of truth.
Dynamic admin pages must be safe, scoped, schema-driven projections.
Secrets, internal topology, peer caches, route caches, and raw credentials must not be embedded in pages.

See:

docs/architecture/WEB_INGRESS_AND_ADMIN_UI_MODEL.md
docs/architecture/CLUSTER_NODE_ADMIN_FOUNDATION.md

Current Scope

Implemented platform-owner sections:

command overview
installation status and first-owner bootstrap screen backed by signed Product Root activation manifests
multi-cluster health posture
cluster creation
cluster authority/mutation guard with cluster key fingerprint visibility
node inventory
node membership disable and identity revoke boundaries
join token creation with signed authority envelope visibility
signed join bundle generation for docker/linux/windows node installs
join request approve/reject with signed approval envelope visibility
role assignment
workload desired-state setting
workload status readout
mesh preparation observations
node-scoped synthetic mesh config visibility, including endpoint candidate, peer directory, recovery seed, rendezvous lease counts, and C17X advisory scoring boundary, plus cluster authority signature status
C17Z-C17Z18 production fabric.control forwarding/config/runtime, rendezvous/relay control-plane boundary, rendezvous lease telemetry, and lease refresh plus relay replacement policy, route/path decision visibility, route generation tracker status visibility, and synthetic route-health effective-path visibility
QoS foundation readout
VPN/IP tunnel control-plane desired state
stale VPN lease cleanup action
organization-safe summary preview
cluster audit

Not implemented:

organization admin UI as a separate tenant product surface
production mesh runtime
VPN/IP tunnel runtime
TUN/TAP, route, DNS, firewall, or QoS execution
RDP runtime changes
arbitrary plugin JavaScript or dynamic executable pages
direct database mutation from WEB

Build

cd web-admin
npm install
npm run build

Run Locally

cd web-admin
npm run dev -- --port 5173

Open:

http://127.0.0.1:5173

The admin console should run on a dedicated admin host/port. It is not intended to be the public product landing page on generic 80/443 web ingress.

Panel service gateway inside the UI:

/api/v1

The browser never asks the operator for a farm HTTP endpoint. During local development the Vite dev server proxies /api to the panel service gateway. Override the local proxy target only for developer work:

$env:RAP_ADMIN_API_PROXY = "http://<panel-service-host>:<port>"
npm run dev -- --port 5173

The start screen shows installation authority status. If the backend reports an unbootstrapped installation, it switches to the first-owner form and accepts a signed activation manifest plus signature. Otherwise it shows only login and password fields; it does not expose API URLs or language/settings to unauthenticated users.

After authentication the panel verifies platform-owner/platform-admin access through the panel service gateway before opening the console. Users without product-owner scope must not see this panel. Organization admins and organization users require separate scoped panels.

Language selection is available only after login in the profile area. It is stored as a user-scoped browser preference for this MVP. Backend user-profile persistence for language/locale is a later Control Plane profile setting.

The panel shows real farm data only. If cluster counts are zero, the cluster has no approved node-agent nodes, roles, workloads, VPN records, or mesh observations yet.

Current node enrollment surface is bundle-first:

the panel creates a one-time install token
the panel requests a signed join bundle from the panel service gateway
the operator downloads or posts that bundle to the target machine
rap-host-agent install* --join-bundle ... performs first install
after first start, node enrollment, update, and control traffic use QUIC fabric

Safety Rules

The console is platform-owner/platform-admin only.
Capabilities are technical facts only.
Roles are explicit policy assignments.
Organization topology is intentionally not shown.
VPN records are desired state only; no runtime tunnel is started here.
Synthetic mesh config visibility is platform-owner scope only. Endpoint candidates and health-aware scoring remain advisory and do not start service traffic forwarding.
Rendezvous leases are control-plane-only route metadata for relay health paths; they do not enable payload forwarding.
Relay replacement policy summaries are platform-owner control-plane visibility only; they do not publish organization topology or start payload forwarding.
Route/path decision summaries are also platform-owner control-plane visibility only in synthetic config and recent heartbeat tables; effective hops are planning metadata, not payload routing.
Route-health rows in Fabric links show synthetic control-plane probes, selected relay, expected/observed hops, and drift status. They are not service payload routes.
C17Z production forwarding is limited to route-bound fabric.control direct next-hop delivery behind an explicit node-agent gate. RDP, VPN, file, video, and service workload payloads remain out of scope.
High-risk actions should require backend authorization, audit, and future step-up authentication.