admin

package
v1.0.0-beta.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 18, 2026 License: AGPL-3.0 Imports: 33 Imported by: 0

Documentation

Overview

Package admin provides web UI and JSON API handlers for Sentinel Gate.

Package admin provides a web UI for Sentinel Gate OSS. Allows viewing and editing policies and rules.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AdminAPIHandler 

type AdminAPIHandler struct {
	// contains filtered or unexported fields
}

AdminAPIHandler provides JSON API endpoints for the admin interface. It coexists with the legacy AdminHandler which serves the template-based UI.

func NewAdminAPIHandler 

func NewAdminAPIHandler(opts ...AdminAPIOption) *AdminAPIHandler

NewAdminAPIHandler creates a new AdminAPIHandler with the given options.

func (*AdminAPIHandler) AddResponseScanController 

func (h *AdminAPIHandler) AddResponseScanController(ctrl ResponseScanController)

AddResponseScanController registers an additional scan controller that will be updated whenever the content scanning config changes. This is used for the HTTP gateway's response scan interceptor, which is a separate instance from the MCP one.

func (*AdminAPIHandler) Routes 

func (h *AdminAPIHandler) Routes() http.Handler

Routes returns an http.Handler with all admin API routes registered. Auth status endpoint is accessible without auth middleware. All other admin API routes enforce localhost-only access.

func (*AdminAPIHandler) SetApprovalStore 

func (h *AdminAPIHandler) SetApprovalStore(store *action.ApprovalStore)

SetApprovalStore sets the approval store after construction. This is needed when the store is created after the AdminAPIHandler (due to boot sequence ordering where BOOT-07 builds the interceptor chain after the admin handler).

func (*AdminAPIHandler) SetHTTPGatewayController 

func (h *AdminAPIHandler) SetHTTPGatewayController(ctrl HTTPGatewayController)

SetHTTPGatewayController sets the HTTP Gateway controller after construction. This is needed when the HTTP gateway is created after the AdminAPIHandler (due to boot sequence ordering where BOOT-07 builds the gateway after services).

func (*AdminAPIHandler) SetOutboundAdminService 

func (h *AdminAPIHandler) SetOutboundAdminService(s *service.OutboundAdminService)

SetOutboundAdminService sets the outbound admin service after construction. This is needed when the service is created after the AdminAPIHandler (due to boot sequence ordering where BOOT-07 builds the interceptor chain after services).

func (*AdminAPIHandler) SetResponseScanController 

func (h *AdminAPIHandler) SetResponseScanController(ctrl ResponseScanController)

SetResponseScanController sets the response scan controller after construction. This is needed when the interceptor is created after the AdminAPIHandler (due to boot sequence ordering where BOOT-07 builds the interceptor chain after services).

func (*AdminAPIHandler) SetToolSecurityService 

func (h *AdminAPIHandler) SetToolSecurityService(s *service.ToolSecurityService)

SetToolSecurityService sets the tool security service after construction.

type AdminAPIOption 

type AdminAPIOption func(*AdminAPIHandler)

AdminAPIOption configures an AdminAPIHandler dependency.

func WithAPILogger 

func WithAPILogger(l *slog.Logger) AdminAPIOption

WithAPILogger sets the logger.

func WithAgentRegistry 

func WithAgentRegistry(r *service.AgentRegistry) AdminAPIOption

WithAgentRegistry sets the agent registry on the AdminAPIHandler.

func WithApprovalStore 

func WithApprovalStore(store *action.ApprovalStore) AdminAPIOption

WithApprovalStore sets the approval store on the AdminAPIHandler.

func WithAuditReader 

func WithAuditReader(r AuditReader) AdminAPIOption

WithAuditReader sets the audit record reader for queries.

func WithAuditService 

func WithAuditService(s *service.AuditService) AdminAPIOption

WithAuditService sets the audit logging service.

func WithAuthStore 

func WithAuthStore(s *memory.AuthStore) AdminAPIOption

WithAuthStore sets the in-memory auth store for syncing keys on creation/revocation.

func WithBuildInfo 

func WithBuildInfo(info *BuildInfo) AdminAPIOption

WithBuildInfo sets the build version information.

func WithDiscoveryService 

func WithDiscoveryService(s *service.ToolDiscoveryService) AdminAPIOption

WithDiscoveryService sets the tool discovery service.

func WithIdentityService 

func WithIdentityService(s *service.IdentityService) AdminAPIOption

WithIdentityService sets the identity and API key management service.

func WithOutboundAdminService 

func WithOutboundAdminService(s *service.OutboundAdminService) AdminAPIOption

WithOutboundAdminService sets the outbound rule admin service.

func WithPolicyAdminService 

func WithPolicyAdminService(s *service.PolicyAdminService) AdminAPIOption

WithPolicyAdminService sets the policy admin service on the AdminAPIHandler.

func WithPolicyEvalService 

func WithPolicyEvalService(s *service.PolicyEvaluationService) AdminAPIOption

WithPolicyEvalService sets the policy evaluation service on the AdminAPIHandler.

func WithPolicyService 

func WithPolicyService(s *service.PolicyService) AdminAPIOption

WithPolicyService sets the policy evaluation service.

func WithPolicyStore 

func WithPolicyStore(s policy.PolicyStore) AdminAPIOption

WithPolicyStore sets the policy persistence store.

func WithResponseScanController 

func WithResponseScanController(ctrl ResponseScanController) AdminAPIOption

WithResponseScanController sets the response scan controller on the AdminAPIHandler.

func WithStartTime 

func WithStartTime(t time.Time) AdminAPIOption

WithStartTime sets the server start time for uptime calculation.

func WithStateStore 

func WithStateStore(s *state.FileStateStore) AdminAPIOption

WithStateStore sets the file state store.

func WithStatsService 

func WithStatsService(s *service.StatsService) AdminAPIOption

WithStatsService sets the stats service for dashboard statistics.

func WithToolCache 

func WithToolCache(c *upstream.ToolCache) AdminAPIOption

WithToolCache sets the shared tool cache.

func WithToolSecurityService 

func WithToolSecurityService(s *service.ToolSecurityService) AdminAPIOption

WithToolSecurityService sets the tool security service.

func WithUpstreamManager 

func WithUpstreamManager(m *service.UpstreamManager) AdminAPIOption

WithUpstreamManager sets the upstream connection lifecycle manager.

func WithUpstreamService 

func WithUpstreamService(s *service.UpstreamService) AdminAPIOption

WithUpstreamService sets the upstream CRUD service.

type AdminHandler 

type AdminHandler struct {
	// contains filtered or unexported fields
}

AdminHandler handles the admin UI routes.

func NewAdminHandler 

func NewAdminHandler(cfg *config.OSSConfig, logger *slog.Logger) (*AdminHandler, error)

NewAdminHandler creates a new admin UI handler.

func (*AdminHandler) AddLogEntry 

func (h *AdminHandler) AddLogEntry(entry AuditEntry)

AddLogEntry adds an audit entry to the in-memory buffer for display.

func (*AdminHandler) Handler 

func (h *AdminHandler) Handler() http.Handler

Handler returns an http.Handler with all admin routes.

func (*AdminHandler) SetOnPolicyChange 

func (h *AdminHandler) SetOnPolicyChange(fn func())

SetOnPolicyChange sets a callback function that will be called when policies change.

func (*AdminHandler) SetVersion 

func (h *AdminHandler) SetVersion(v string)

SetVersion sets the version string displayed in the SPA sidebar.

type AuditEntry 

type AuditEntry struct {
	Timestamp  string
	IdentityID string
	ToolName   string
	Decision   string
}

AuditEntry represents a single audit log entry for display.

func CreateAuditEntry 

func CreateAuditEntry(identityID, toolName, decision string) AuditEntry

CreateAuditEntry creates an AuditEntry from audit record data.

type AuditQueryResponse 

type AuditQueryResponse struct {
	Records    []AuditRecordDTO `json:"records"`
	NextCursor string           `json:"next_cursor,omitempty"`
	Count      int              `json:"count"`
}

AuditQueryResponse is the JSON response for GET /admin/api/audit.

type AuditReader 

type AuditReader interface {
	// GetRecent returns the N most recent audit records.
	GetRecent(n int) []audit.AuditRecord
	// Query retrieves audit records matching the filter.
	Query(filter audit.AuditFilter) ([]audit.AuditRecord, string, error)
}

AuditReader provides read access to recent audit records for the admin API. This is a minimal interface used by the admin API; full query support is in audit.AuditQueryStore.

type AuditRecordDTO 

type AuditRecordDTO struct {
	Timestamp      string                 `json:"timestamp"`
	SessionID      string                 `json:"session_id"`
	IdentityID     string                 `json:"identity_id"`
	IdentityName   string                 `json:"identity_name,omitempty"`
	ToolName       string                 `json:"tool_name"`
	ToolArguments  map[string]interface{} `json:"tool_arguments,omitempty"`
	Decision       string                 `json:"decision"`
	Reason         string                 `json:"reason"`
	RuleID         string                 `json:"rule_id"`
	RequestID      string                 `json:"request_id"`
	LatencyMicros  int64                  `json:"latency_micros"`
	Protocol       string                 `json:"protocol,omitempty"`
	Framework      string                 `json:"framework,omitempty"`
	ScanDetections int                    `json:"scan_detections"`
	ScanAction     string                 `json:"scan_action,omitempty"`
	ScanTypes      string                 `json:"scan_types,omitempty"`
}

AuditRecordDTO is the JSON representation of an audit record.

type BuildInfo 

type BuildInfo struct {
	Version   string
	Commit    string
	BuildDate string
}

BuildInfo holds build-time version information. Injected via WithBuildInfo option to avoid import cycles with cmd package.

type HTTPGatewayController 

type HTTPGatewayController interface {
	// TLS inspection
	TLSEnabled() bool
	SetTLSEnabled(enabled bool)
	BypassList() []string
	SetBypassList(list []string)
	// Upstream targets (from state.json)
	Targets() []httpgw.UpstreamTarget
	SetTargets(targets []httpgw.UpstreamTarget)
	// CA cert (PEM bytes, nil if no CA)
	CACertPEM() []byte
}

HTTPGatewayController provides admin API access to HTTP Gateway config. Implemented by the concrete httpGatewayControllerImpl in start.go.

type MatchedRuleDetail 

type MatchedRuleDetail struct {
	ID        string `json:"id"`
	Name      string `json:"name"`
	Priority  int    `json:"priority"`
	ToolMatch string `json:"tool_match"`
	Condition string `json:"condition"`
	Action    string `json:"action"`
}

MatchedRuleDetail contains the details of the rule that matched during evaluation.

type PolicyEvaluateStatusResponse 

type PolicyEvaluateStatusResponse struct {
	RequestID string `json:"request_id"`
	Status    string `json:"status"`
	Decision  string `json:"decision"`
	UpdatedAt string `json:"updated_at"`
}

PolicyEvaluateStatusResponse is the response for GET /api/v1/policy/evaluate/{request_id}/status.

type PolicyTestRequest 

type PolicyTestRequest struct {
	// ToolName is the tool to test against (required).
	ToolName string `json:"tool_name"`
	// Arguments are optional tool arguments for CEL evaluation.
	Arguments map[string]interface{} `json:"arguments,omitempty"`
	// Roles are user roles to simulate (defaults to empty).
	Roles []string `json:"roles,omitempty"`
	// IdentityID is a simulated identity ID.
	IdentityID string `json:"identity_id,omitempty"`
	// IdentityName is a simulated identity name.
	IdentityName string `json:"identity_name,omitempty"`
	// ActionType is the canonical action type: "tool_call", "file_read", "file_write", "command_exec", etc.
	ActionType string `json:"action_type,omitempty"`
	// Protocol is the originating protocol: "mcp", "http", "runtime".
	Protocol string `json:"protocol,omitempty"`
	// Framework is the AI framework: "crewai", "langchain", "autogen", etc.
	Framework string `json:"framework,omitempty"`
	// Gateway is the gateway that received the request.
	Gateway string `json:"gateway,omitempty"`
	// DestURL is the destination URL for outbound requests.
	DestURL string `json:"dest_url,omitempty"`
	// DestDomain is the destination domain.
	DestDomain string `json:"dest_domain,omitempty"`
	// DestCommand is the command being executed.
	DestCommand string `json:"dest_command,omitempty"`
}

PolicyTestRequest is the JSON request body for testing a policy evaluation.

type PolicyTestResponse 

type PolicyTestResponse struct {
	// Allowed indicates whether the tool call would be permitted.
	Allowed bool `json:"allowed"`
	// Decision is "allow" or "deny".
	Decision string `json:"decision"`
	// RuleID is the ID of the matched rule (empty if default deny with no match).
	RuleID string `json:"rule_id"`
	// RuleName is the name of the matched rule.
	RuleName string `json:"rule_name"`
	// Reason is the explanation from the policy engine.
	Reason string `json:"reason"`
	// MatchedRule contains the full rule details if a rule matched, nil otherwise.
	MatchedRule *MatchedRuleDetail `json:"matched_rule"`
}

PolicyTestResponse is the JSON response from a policy test evaluation.

type ResponseScanController 

type ResponseScanController interface {
	Mode() action.ScanMode
	Enabled() bool
	SetMode(mode action.ScanMode)
	SetEnabled(enabled bool)
}

ResponseScanController allows the admin API to control response scanning. The ResponseScanInterceptor from the action package satisfies this interface.

type RuleRequest 

type RuleRequest struct {
	PolicyIndex int    `json:"policyIndex"`
	RuleIndex   int    `json:"ruleIndex"` // -1 for new rule
	Name        string `json:"name"`
	Condition   string `json:"condition"`
	Action      string `json:"action"`
}

RuleRequest is the JSON request for creating/updating a rule.

type StatsResponse 

type StatsResponse struct {
	Upstreams       int              `json:"upstreams"`
	Tools           int              `json:"tools"`
	Policies        int              `json:"policies"`
	Allowed         int64            `json:"allowed"`
	Denied          int64            `json:"denied"`
	RateLimited     int64            `json:"rate_limited"`
	Errors          int64            `json:"errors"`
	ProtocolCounts  map[string]int64 `json:"protocol_counts"`
	FrameworkCounts map[string]int64 `json:"framework_counts"`
}

StatsResponse is the JSON response for GET /admin/api/stats.

type SystemInfoResponse 

type SystemInfoResponse struct {
	Version   string `json:"version"`
	Commit    string `json:"commit"`
	BuildDate string `json:"build_date"`
	GoVersion string `json:"go_version"`
	OS        string `json:"os"`
	Arch      string `json:"arch"`
	Uptime    string `json:"uptime"`
	UptimeSec int64  `json:"uptime_seconds"`
}

SystemInfoResponse is the JSON response for GET /admin/api/system.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.