Web UI: Auth and deployment boundary #435

Closed
opened 2026-07-07 12:21:03 -05:00 by jcwalker3 · 0 comments
Owner

Problem statement

An internal operator UI must not be exposed as a public unauthenticated service. Deployment assumptions need documentation and basic enforcement.

Scope

Document and implement internal-only serving model:

  • local/internal deployment only in MVP
  • recommend Cloudflare Access/WARP/VPN if exposed beyond localhost
  • no public unauthenticated access
  • no secrets in frontend
  • document environment variables and runtime assumptions

Acceptance criteria

  • Documentation explains local/internal deployment only for MVP
  • Recommends Cloudflare Access/WARP/VPN (or equivalent) if exposed beyond trusted network
  • Server refuses or warns on unsafe public bind configurations
  • No secrets in frontend bundle or client-side storage
  • Documents required environment variables and runtime assumptions (repo root, profile config path, Gitea host)

Non-goals

  • Building full SSO in MVP
  • Hosting on public internet without access controls
  • Embedding Gitea tokens in the UI

Relation to tracker

Child of tracker #425. Implements one slice of the MCP Control Plane internal web UI. Does not duplicate backend policy already enforced by MCP tools/workflows.

Dependencies

Depends on #426. Can proceed in parallel with other read-only pages.

Notes

Treat the UI as an operator console, not a customer-facing app.

## Problem statement An internal operator UI must not be exposed as a public unauthenticated service. Deployment assumptions need documentation and basic enforcement. ## Scope Document and implement internal-only serving model: - local/internal deployment only in MVP - recommend Cloudflare Access/WARP/VPN if exposed beyond localhost - no public unauthenticated access - no secrets in frontend - document environment variables and runtime assumptions ## Acceptance criteria - Documentation explains local/internal deployment only for MVP - Recommends Cloudflare Access/WARP/VPN (or equivalent) if exposed beyond trusted network - Server refuses or warns on unsafe public bind configurations - No secrets in frontend bundle or client-side storage - Documents required environment variables and runtime assumptions (repo root, profile config path, Gitea host) ## Non-goals - Building full SSO in MVP - Hosting on public internet without access controls - Embedding Gitea tokens in the UI ## Relation to tracker Child of tracker #425. Implements one slice of the MCP Control Plane internal web UI. Does not duplicate backend policy already enforced by MCP tools/workflows. ## Dependencies Depends on #426. Can proceed in parallel with other read-only pages. ## Notes Treat the UI as an operator console, not a customer-facing app.
Sign in to join this conversation.
No labels
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#435