feat(webui): auth and deployment boundary (#435)

Add bind-host assessment that refuses 0.0.0.0/:: without override,
warns on non-loopback binds, and documents internal-only MVP serving.
Health endpoint exposes deployment metadata; docs cover Access/VPN/WARP
and runtime env assumptions without embedding secrets in the client.

Closes #435
This commit is contained in:
2026-07-09 11:50:40 -04:00
parent 8d1098f916
commit 975674d7f5
7 changed files with 362 additions and 3 deletions
+2
View File
@@ -22,6 +22,8 @@ class TestWebuiSkeleton(unittest.TestCase):
self.assertEqual(data["service"], "mcp-control-plane-webui")
self.assertEqual(data["mode"], "read-only-mvp")
self.assertIn("timestamp", data)
self.assertIn("deployment", data)
self.assertEqual(data["deployment"]["mode"], "internal-operator-console")
def test_home_renders(self):
response = self.client.get("/")