GUI Overview¶

The GUI component is a read-only HTTP server plus embedded SPA bundle, built as the autonomy-gui binary.

What it is¶

Read-only projection of control-plane data for fleet, node, telemetry, lock, and release views.
Single self-contained binary serving both API and frontend assets.
SQLite opened in read-only mode and verified at startup.

Non-goals¶

No runtime command execution against edge nodes.
No control-plane database mutation through GUI API routes.
No admin/debug/metrics endpoint surface.

Authority Model¶

Edge runtime remains authoritative for decisions.
Control plane is observational storage.
GUI is projection and tooling surface; it does not gain execution authority.

flowchart LR E[Edge Runtime] -->|events, reports| CP[Control Plane DB] CP -->|read-only queries| G[autonomy-gui API] G --> SPA[Embedded SPA] SPA -->|GET /api/v1/*| G

Implementation map¶

Entrypoint: gui/cmd/gui/main.go (run, buildAuthConfig).
Router: gui/internal/api/gateway.go (NewGateway).
Auth/RBAC middleware: gui/internal/auth/middleware.go, gui/internal/auth/rbac.go.
Read-only DB: gui/internal/db/store.go (Open, startup read-only assertion).
Embedded SPA: gui/web/embed.go + gui/web/dist/*.

Security properties (implemented)¶

Security headers middleware for all responses.
Optional HSTS (--enable-hsts) only when server terminates TLS.
/admin, /debug, /metrics blocked with 404.
Non-versioned /api/* paths explicitly rejected with 410 Gone (authenticated callers).

Not implemented / no evidence¶

Prometheus metrics endpoint on GUI: not implemented (explicitly blocked).
OIDC/JWT issuer discovery: not implemented in GUI auth middleware.
CORS policy configuration knobs: not implemented in GUI backend.

Evidence¶

gui/cmd/gui/main.go
gui/internal/api/gateway.go
gui/internal/api/enforce.go
gui/internal/api/security_headers_test.go
gui/internal/api/versioning_test.go
gui/internal/auth/middleware.go
gui/internal/auth/rbac.go
docs/_generated/test-outputs/gui-startup.txt