Crate kovra_webui

Expand description

kovra-webui — the on-demand, loopback administration Web UI (L10, KOV-22; spec §9.3, §12; invariants I1/I2/I10).

A richer admin surface than the CLI, brought up on demand by kovra ui: an axum server bound to 127.0.0.1 only (I10), behind an ephemeral per-launch session token and an Origin/Host check (anti DNS-rebinding/CSRF even on loopback). It does CRUD + generate plus sensitivity-governed visualization:

low/medium → the value is revealed on demand (fetched per click, never preloaded into the listing, §9.3).
high → masked + truncated fingerprint; the UI defers an actual reveal to the CLI (the trusted, biometric channel). The browser never sees it (I1).
inject-only → existence/metadata only (I2).
reference → the pointer URI is shown/edited, never a value (it has none); at most a resolution status. Keypair private halves and TOTP seeds are likewise never rendered.

The reveal gate is not re-derived here — every reveal runs through kovra_core::decide with Surface::WebUi, so the I1/I2 boundary lives in the core and the UI is a thin adapter (spec §2/§15). Nothing in this crate is [host]: the router is exercised by [mock] endpoint tests; only the real TCP bind + browser-open + Docker packaging (L11) are validated on hardware.

Structs§

AppState: Shared application state. Cheap to clone (an Arc); holds the registry root, the resolved master key (zeroized on drop via MasterKey), the ephemeral session token, and the last-activity instant for the idle watchdog.

Constants§

DEFAULT_PORT: Default loopback port for kovra ui.
SESSION_HEADER: HTTP header carrying the ephemeral per-launch session token.

Functions§

build_app: Build the router for state. The /api/* routes sit behind the ephemeral session-token check; every route (incl. /) is behind the Origin/Host loopback guard. This is the unit exercised by the endpoint tests.
default_addr: The default loopback bind address for kovra ui.
parse_master_key: Parse a master key supplied as a file’s bytes (L11 Docker entrypoint, I9).
serve: Run the server on an already-bound loopback listener until Ctrl-C or idle of inactivity. [host]: the real bind + browser-open are validated on hardware; the router itself is covered by the [mock] endpoint tests.