m/rdp-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94eae6f9f030effe4db2dc5cd06fb3de8a38a376
rdp-proxy/web-admin/README.md
T
m 8ba0561f4f Initial project snapshot
2026-04-28 22:29:50 +03:00

149 lines
5.4 KiB
Markdown
Raw Blame History

# Platform Owner Control Panel
Primary Web/Admin shell for Secure Access Fabric platform-owner operations.
This UI is for product owner / platform owner scope. It is not the future
organization admin panel and must not expose full internal mesh topology to
organization users.
Architecture boundary:
- WEB is HTTP/HTTPS ingress and presentation.
- Cluster configuration belongs to Control Plane APIs.
- PostgreSQL remains the source of truth.
- Dynamic admin pages must be safe, scoped, schema-driven projections.
- Secrets, internal topology, peer caches, route caches, and raw credentials
must not be embedded in pages.
See:
- `docs/architecture/WEB_INGRESS_AND_ADMIN_UI_MODEL.md`
- `docs/architecture/CLUSTER_NODE_ADMIN_FOUNDATION.md`
## Current Scope
Implemented platform-owner sections:
- command overview
- installation status and first-owner bootstrap screen backed by signed
Product Root activation manifests
- multi-cluster health posture
- cluster creation
- cluster authority/mutation guard with cluster key fingerprint visibility
- node inventory
- node membership disable and identity revoke boundaries
- join token creation with signed authority envelope visibility
- join request approve/reject with signed approval envelope visibility
- role assignment
- workload desired-state setting
- workload status readout
- mesh preparation observations
- node-scoped synthetic mesh config visibility, including endpoint candidate,
peer directory, recovery seed, rendezvous lease counts, and C17X advisory
scoring boundary, plus cluster authority signature status
- C17Z-C17Z18 production `fabric.control` forwarding/config/runtime,
rendezvous/relay control-plane boundary, rendezvous lease telemetry, and
lease refresh plus relay replacement policy, route/path decision visibility,
route generation tracker status visibility, and synthetic route-health
effective-path visibility
- QoS foundation readout
- VPN/IP tunnel control-plane desired state
- stale VPN lease cleanup action
- organization-safe summary preview
- cluster audit
Not implemented:
- organization admin UI as a separate tenant product surface
- production mesh runtime
- VPN/IP tunnel runtime
- TUN/TAP, route, DNS, firewall, or QoS execution
- RDP runtime changes
- arbitrary plugin JavaScript or dynamic executable pages
- direct database mutation from WEB
## Build
```powershell
cd web-admin
npm install
npm run build
```
## Run Locally
```powershell
cd web-admin
npm run dev -- --port 5173
```
Open:
```text
http://127.0.0.1:5173
```
The admin console should run on a dedicated admin host/port. It is not intended
to be the public product landing page on generic `80/443` web ingress.
Default backend API inside the panel:
```text
/api/v1
```
The local Vite dev server proxies `/api` to the remote test backend
`http://192.168.200.61:8080` by default, avoiding browser CORS issues while
keeping the Control Plane API unchanged. Override the proxy target when needed:
```powershell
$env:RAP_ADMIN_API_PROXY = "http://192.168.200.61:8080"
npm run dev -- --port 5173
```
The start screen shows installation authority status. If the backend reports an
unbootstrapped installation, it switches to the first-owner form and accepts a
signed activation manifest plus signature. Otherwise it shows only login and
password fields; it does not expose API URLs or language/settings to
unauthenticated users.
After authentication the panel verifies platform-owner/platform-admin access
through Control Plane APIs before opening the console. Users without product-owner
scope must not see this panel. Organization admins and organization users require
separate scoped panels.
Language selection is available only after login in the profile area. It is stored
as a user-scoped browser preference for this MVP. Backend user-profile persistence
for language/locale is a later Control Plane profile setting.
The panel shows real Control Plane data only. If cluster counts are zero, the
cluster has no approved node-agent nodes, roles, workloads, VPN records, or mesh
observations yet.
## Safety Rules
- The console is platform-owner/platform-admin only.
- Capabilities are technical facts only.
- Roles are explicit policy assignments.
- Organization topology is intentionally not shown.
- VPN records are desired state only; no runtime tunnel is started here.
- Synthetic mesh config visibility is platform-owner scope only. Endpoint
candidates and health-aware scoring remain advisory and do not start
service traffic forwarding.
- Rendezvous leases are control-plane-only route metadata for relay health
paths; they do not enable payload forwarding.
- Relay replacement policy summaries are platform-owner control-plane
visibility only; they do not publish organization topology or start payload
forwarding.
- Route/path decision summaries are also platform-owner control-plane
visibility only in synthetic config and recent heartbeat tables; effective
hops are planning metadata, not payload routing.
- Route-health rows in Fabric links show synthetic control-plane probes,
selected relay, expected/observed hops, and drift status. They are not
service payload routes.
- C17Z production forwarding is limited to route-bound `fabric.control` direct
next-hop delivery behind an explicit node-agent gate. RDP, VPN, file, video,
and service workload payloads remain out of scope.
- High-risk actions should require backend authorization, audit, and future
step-up authentication.
Reference in New Issue View Git Blame Copy Permalink