Web UI
The web UI provides a lightweight operator console for managing agent runs, approvals, tool policies, cost tracking, and security alerts. It is served as a single Go binary with embedded static assets and connects to Temporal and Postgres for live data.
Source: cmd/ui/main.go, assets in cmd/ui/ui/*.
Purpose
Provides a lightweight operator console for run list, run details, approvals, questions, repair log, and replay console. Tool approvals are managed on a separate page. Stream interval is configurable from the top bar (1s/2s/5s).
Start
go run ./cmd/ui --addr :8080
Then open http://localhost:8080.
Tool approvals: http://localhost:8080/tools.html.
Cost dashboard: http://localhost:8080/cost.html.
Audit trail: http://localhost:8080/audit.html.
Security alerts: http://localhost:8080/security.html.
Immune console: http://localhost:8080/immune.html.
Use the immune console to inspect unresolved anomalies/quarantine state and issue quarantine releases (requires admin token).
Security page now also includes composite-step telemetry (success/failure totals, p95 latency, and top failing steps).
API Endpoints
GET /api/healthGET /api/health/detailGET /api/runs?status=Running|Completed|Failed&search=<id>&page_size=20&page_token=...GET /api/run?id=<workflow_id>&run_id=<run_id>GET /api/stream?workflow_id=<workflow_id>&run_id=<run_id>(SSE)GET /api/cost?workflow_id=<workflow_id>&run_id=<run_id>GET /api/costs?from=<RFC3339>&to=<RFC3339>&group=day|model&page_size=50GET /api/quota?tenant_id=<tenant_id>GET /api/security/alerts?tenant_id=<tenant_id>GET /api/composites/metrics?tenant_id=<tenant_id>&limit=10GET /api/immune/anomalies?tenant_id=<tenant_id>&limit=200GET /api/immune/quarantine?tenant_id=<tenant_id>POST /api/immune/releasewith JSON body:{"tenant_id":"default","tool_name":"sim_git_pr","released_by":"operator","reason":"validated fix"}GET /api/audit?tenant_id=<tenant_id>&run_id=<run_id>&event_type=<type>&from=<RFC3339>&to=<RFC3339>&limit=200GET /api/audit/verify?tenant_id=<tenant_id>&from=<RFC3339>&to=<RFC3339>POST /api/quota/resetwith JSON body:{"tenant_id":"default","window":"day"}POST /api/quota/overridewith JSON body:{"tenant_id":"default","field":"rpm","value":120,"expires":"2h","clear":false}POST /api/tools/repairwith JSON body:{"registry_id":"default","registry_version":"latest","policies":{"http_get":{"enabled":true,"max_attempts":3}}}POST /api/executewith JSON body:{"prompt":"...","model":"optional","registry_id":"default","registry_version":"latest","max_steps":6,"repair_attempts":3,"repair_timeout":"1m","tool_search":"true","tool_limit":20}GET /api/tools?registry_id=default®istry_version=latest&search=...&page_size=20&page_token=...POST /api/tools/approvalswith JSON body:{"registry_id":"default","registry_version":"latest","approvals":{"http_get":true,"calculator":false}}POST /api/approvewith JSON body:{"workflow_id":"...","run_id":"...","request_id":"step-0","approve":true,"reason":"","tenant_id":"default"}POST /api/answerwith JSON body:{"workflow_id":"...","run_id":"...","request_id":"question-0","answer":"...","tenant_id":"default"}POST /api/replaywith JSON body:{"workflow_id":"...","run_id":"...","prompt":"...","from_step":0,"decision_overrides":{}}
Security Notes
-- This UI is read/write against your Temporal namespace. -- Deploy behind auth for any shared environment.
- Quota mutation endpoints require
X-Cruvero-Admin-TokenmatchingCRUVERO_UI_ADMIN_TOKEN. - Immune quarantine release endpoint requires
X-Cruvero-Admin-TokenmatchingCRUVERO_UI_ADMIN_TOKEN. - Approval/answer audit attribution can be provided via
tenant_idin body orX-Cruvero-Tenant-Idheader. - Operational probes:
GET /healthz,GET /readyz,GET /health.
Keycloak Auth (Optional)
Set auth mode to keycloak and provide JWKS + issuer/audience.
Environment variables:
CRUVERO_UI_AUTH=keycloakCRUVERO_UI_JWKS_URL=https://<keycloak>/realms/<realm>/protocol/openid-connect/certsCRUVERO_UI_ISSUER=https://<keycloak>/realms/<realm>CRUVERO_UI_AUDIENCE=<client-id>
Flags (override env):
--auth keycloak--jwks-url ...--issuer ...--audience ...
Related Docs
- CLI Reference
- Agent Workflow
--readonlyto disable approve/replay--corsto enable CORS for API endpoints