Module webui

Expand description

cellctl webui — localhost reverse proxy + static bundle host.

Per ADR-0017, the web view ships with cellctl, not with cellos-server. Operators invoke cellctl webui to spin up a foreground localhost proxy:

Serves crates/cellos-ctl/static/ (the Vite build output) at /.
Reverse-proxies GET /v1/* and GET /ws/events upstream to the cellos-server URL configured in ~/.cellctl/config, injecting the bearer token on the way out. The bundle never sees the token.
Refuses any non-GET method with HTTP 405 (Allow: GET). This is the structural enforcement of ADR-0016’s read-only browser boundary.
Binds a session token in a URL fragment (/#sess=<base64>) and swaps it for an HttpOnly; SameSite=Strict cookie via POST /auth/exchange. Subsequent proxy + WS requests require the cookie. The fragment is cleared by the bundle’s bootstrap once the cookie is set.
Exits cleanly on SIGINT.

Bind modes (ADR-0017 §Decision 4):

--bind auto (default, on Unix): bind BOTH a loopback TCP port (for the browser) AND a Unix socket at ${XDG_RUNTIME_DIR:-/tmp}/cellctl-webui-<pid>.sock (for inter-process tooling that wants to bypass loopback). On Windows, auto degrades to loopback-only.
--bind loopback: TCP loopback only.
--bind unix (Unix only): Unix socket only. The browser cannot reach a Unix socket directly — this mode is for inter-process forwarders (e.g. socat / ssh -L). On Windows this errors out.

The Unix socket is created with mode 0600 (operator-owned only) and is removed on graceful shutdown (SIGINT).

Enums§