Web UI Tour

The Gatehouse web UI is a single-page app served from the same container as the API. It’s dark by default, built with vanilla HTML, CSS, and JS (no framework), and loads JetBrains Mono for code and Instrument Sans for headings.

Press Cmd/Ctrl+K anywhere in the UI to open a command palette that fuzzy-searches every page and common action.

Dashboard#

The Dashboard shows the operational state of the vault at a glance:

  • Metric cards: total secrets, active leases, recent audit events, policy count
  • Active leases table: path, identity, remaining TTL (live countdown), expires_at, revoke action
  • Recent audit log: last 20 events, color-coded by action type

Secrets#

The Secrets tab has a tree view on the left (paths grouped by prefix) and a detail panel on the right. The detail panel shows metadata, version, and timestamps. The secret value is hidden behind a Reveal button that requires confirmation and logs the action to the audit trail.

Leases#

Active leases are shown first, with live TTL countdowns updated every second. Lease history (expired and revoked leases) is sortable and filterable by identity.

Policies#

Policies are displayed as cards listing the rules and which AppRoles reference each one. Policies defined in YAML files and policies stored in the database are shown together, with their source indicated. Use Reload to pick up YAML changes without restarting the container.

AppRoles#

The AppRoles tab manages machine credentials for agent harnesses. Each row has four icon+label actions: Onboard (generate a one-time onboarding link), Edit (rename, change policies, toggle suspend), Suspend/Reinstate, and Delete.

Creating an AppRole opens a credentials-first modal with amber borders showing the role_id and secret_id. Both values must be copied before dismissal; dismissing without copying both prompts a confirmation. A Generate onboarding prompt button on the same modal produces a short curl-to-tempfile snippet you can paste into an agent chat; the agent fetches the bootstrap markdown, exchanges the token once, and writes durable credentials to its own filesystem. Raw secrets never cross the chat window.

If an AppRole is created with zero policies, the UI confirms before proceeding, and the rendered onboard markdown instructs the agent to halt rather than probe.

Users#

Human admin accounts for the web UI. Users have a username, display name, optional email, and a password. Each user can enable TOTP two-factor auth for themselves. Admins can force-reset another user’s 2FA if they lose their authenticator.

Dynamic Secrets#

Manage dynamic secret provider configurations. Create a config for PostgreSQL, MySQL, MongoDB, Redis, or SSH certificates, test the connection, and see active leases per provider.

Patterns#

Browse learned API call patterns, grouped by secret path. Each pattern shows the method, URL template, header and body schema, confidence score, and the list of agents that have verified it. Operators can pin patterns (to prevent deletion) or delete them.

Audit Log#

Full audit log with filtering by identity, action, path, and date range. Live tail mode auto-refreshes every 5 seconds. Export as JSON for ingestion into external log tools.

Settings#

The Settings page is a stack of admin-only cards. From top to bottom:

  • Health Status: live server version, uptime, database size, master key fingerprint, and last key rotation date.
  • Appearance: toggle the dark / light theme. The choice persists per-browser in localStorage.
  • Server Configuration: read-only readout of the active runtime config: port, JWT expiry, root-token-set flag, lease reaper interval, default and bounding lease TTLs, and SSO enabled state. Reflects what GET /v1/config returns.
  • SSO / OAuth Configuration: full OIDC setup: enable toggle, issuer URL, client ID and secret, redirect URI, scopes, and a “Trust email without email_verified claim” toggle for IdPs (notably PocketID) that omit that claim. A Test SSO link opens the IdP authorize URL in a new tab so you can probe the flow without logging out. Saving validates the issuer’s .well-known/openid-configuration discovery doc before persisting; bad URLs fail loudly.
  • Proxy Limits: two number inputs that override the proxy’s request-timeout ceiling (default 120 seconds, range 1 second to 30 minutes) and upstream-response body cap (default 10 MiB, range 1 KiB to 100 MiB). Changes take effect on the next proxy request, no restart needed. Useful for endpoints that legitimately return large payloads (file fetches, audio transcription, image generation).
  • Two-Factor Authentication: your own TOTP enrollment status. From here you can enable 2FA (scan a QR with any RFC 6238 authenticator), regenerate recovery codes, or disable. Admins manage other users’ 2FA from the Users tab.
  • Danger Zone: three wired actions, each behind a confirm:
    • Purge Expired Leases: drop lease rows whose TTL has elapsed.
    • Purge Old Audit Entries: trim the audit log past a chosen retention cutoff (POST /v1/audit/purge).
    • Rotate Encryption Key: swap the master key and re-wrap every DEK and dynamic config in one atomic operation (POST /v1/admin/rotate-key). Back up the old key before running this.