feat(webui): auth and deployment boundary (#435)

Add bind-host assessment that refuses 0.0.0.0/:: without override,
warns on non-loopback binds, and documents internal-only MVP serving.
Health endpoint exposes deployment metadata; docs cover Access/VPN/WARP
and runtime env assumptions without embedding secrets in the client.

Closes #435
This commit is contained in:
2026-07-07 15:37:32 -04:00
parent ee8e9a0247
commit cb48e8a726
7 changed files with 361 additions and 4 deletions
+2
View File
@@ -22,6 +22,8 @@ class TestWebuiSkeleton(unittest.TestCase):
self.assertEqual(data["service"], "mcp-control-plane-webui")
self.assertEqual(data["mode"], "read-only-mvp")
self.assertIn("timestamp", data)
self.assertIn("deployment", data)
self.assertEqual(data["deployment"]["mode"], "internal-operator-console")
def test_home_renders(self):
response = self.client.get("/")