serve

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 30, 2026 License: MIT Imports: 24 Imported by: 0

Documentation

Overview

Package serve hosts the kpot WebUI. One daemon per vault, bound to 127.0.0.1, accessed from a phone via SSH tunnel + VPN.

Architecture and threat model are documented in docs/serve.md and /home/shin/.claude/plans/kpot-webui-url-id-ssh-vpn-vpn-fw0-ssh-we-distributed-charm.md.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Run 

func Run(opts Options) error

Run starts the WebUI server and blocks until SIGINT/SIGTERM.

Types

type Options 

type Options struct {
	// VaultPath is the resolved path to the .kpot file. Caller is
	// responsible for v0.7+ name resolution.
	VaultPath string

	// BindAddr is the host or IP the listener binds to. Empty or
	// "127.0.0.1" is the safe default — access via SSH tunnel only.
	// Set to a VPN interface IP (e.g. WireGuard wg0 / Tailscale)
	// for direct phone access without an SSH tunnel. Anything other
	// than 127.0.0.1 / ::1 / localhost triggers a stderr WARNING at
	// startup so users know they've left the loopback default
	// deliberately.
	BindAddr string

	// Port is the TCP port to listen on. 0 means use 8765.
	Port int

	// Idle is the per-session idle timeout. Zero means use 30 min.
	// Negative disables idle locking entirely.
	Idle time.Duration

	// NoCache forces the daemon to skip the OS keychain even if a
	// DEK is cached. Every web visit then requires a passphrase via
	// the login form.
	NoCache bool

	// Cfg supplies keychain mode, idle defaults, etc.
	Cfg config.Config
}

Options configure a Run() call. Zero values are sensible defaults where applicable.

type Server 

type Server struct {
	// contains filtered or unexported fields
}

Server holds runtime state shared across handlers.

type SessionState 

type SessionState int

SessionState reports whether a session is currently usable. 

const (
	// StateActive means the session has an unlocked DEK and a live
	// DecryptedVault. API calls succeed.
	StateActive SessionState = iota
	// StateLocked means the idle timer fired; DEK was zeroed and
	// DecryptedVault was dropped. Cookie still recognised, but every
	// request except /api/login returns 401 reauth.
	StateLocked
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.