Expand description
Management & health capability: the configuration view/edit surface, the Settings page, and a health check.
Follows the plan’s “symmetry contract”: one shared, serializable DTO renders as JSON for agents
(GET /api/config) and as HTML for humans (GET /settings), and the write path
(PUT /api/config, POST /settings) shares one merge-and-persist function. Handlers live here;
the app is assembled in crate::frontend::server.
Structs§
- ApiIndex
Dto - Discovery index of the agent API: every mounted
/api/*endpoint (method, path, handler name) in a single call, so an agent can enumerate CorTeX’s machine surface without out-of-band docs. Self-describing — built by introspecting the live route table, so it never drifts. - AuthDto
- Masked view of the auth settings — secrets are summarized, never exposed.
- Config
Dto - A masked, serializable view of
CortexConfigsafe to expose over the API and UI. - Config
File - Managed state: the path where the write path persists the configuration file.
- Database
Dto - Masked view of the database settings — the password is never exposed.
- DbHealth
- Health of the database dependency.
- Dispatcher
Health - Reachability of the ZeroMQ dispatcher, probed by a short TCP connect to its bound ports. The
frontend doesn’t otherwise speak to the dispatcher (workers do), so this is a pure liveness
probe of the co-located dispatcher (localhost) — informational, it does not flip the overall
status(a read-only/report-only frontend deployment legitimately runs without a dispatcher). - Health
Dto - Structured health report, identical for agents and human supervisors.
- Liveness
Dto - Minimal, public liveness projection — the open
GET /healthz. Just whether the service is up and its database reachable; deliberately omits the internal topology (corpus paths, pool sizing, dispatcher ports, remediations) thatHealthDtoexposes. The detailed report is admin-only: the/healthscreen and its token-gated agent twinGET /api/health(KNOWN_ISSUES X-1). - Maintenance
AckDto - Acknowledgement for a maintenance job: the background
crate::jobshandle to poll. - Migrations
Health - Health of the schema migrations.
- Pool
Health - Utilization of the web frontend’s database connection pool — a key load / saturation signal
(when
in_useapproachesmax, requests start waiting onpool.get()and may503). - Route
Info - One row of the mounted route surface — an endpoint’s method, URI pattern, and handler name.
- Route
Table - A snapshot of the mounted route table, captured at mount time so the discovery index can never drift from the routes actually served.
- Settings
Form - The editable, non-secret fields of the Settings form (database/auth are edited out-of-band).
- Storage
Health - Health of the shared document storage: every corpus’s
pathis stat-checked on disk. Document bytes live on a shared filesystem (tasks.entryare absolute paths under eachcorpus.path), so a moved/unmounted data mount makes the whole conversion pipeline fail — surfaced here instead of only as mysterious cascading task failures. Informational (the frontend still serves reports from the DB), so it does not flip the overallstatus. Corpora with an empty path are skipped. - Unreadable
Corpus - A corpus whose configured source directory could not be read on disk (missing / unmounted / wrong permissions). Its conversions and re-imports will fail until the path is restored.
Functions§
- analyze
- Triggers a planner-statistics refresh (
ANALYZEover the high-churn tables) as a background job — keeps the planner’s row estimates current after bulk imports/reruns so it keeps choosing the right indexes (e.g. the TODO leasing index) instead of waiting for autovacuum (DB ongoing-maintenance;docs/DB_TUNING.md). Token-gated; returns202+ the job handle, pollGET /api/jobs/<job>for per-table progress. Debounced. - analyze_
human - The human twin of
analyze: the health screen’s “Refresh planner statistics” button. Gated by the signed-inAdminSessioncookie (anonymous → sign-in). Spawns the same debounced analyze job and redirects to/jobs. - api_
config - The effective configuration, masked for safe exposure (the agent twin of the Settings screen).
Token-gated via the
Actorguard (clean401without a token), matching the human/settings(require_admin) and the write twinPUT /api/config— config is admin-only on every surface. Secrets are masked regardless (DB password →***, only the token count is shown), but the operational config (DB host/user/name, ports, pool/queue tuning) is not for anonymous eyes. - api_
health - Detailed health report for agents — the token-gated JSON twin of the admin
health_pagescreen (sharingHealthDto). Gated by theActorguard (clean401without a token) so the internal topology it exposes (corpus paths, pool sizing, dispatcher ports) isn’t world-readable like the open/healthzonce was (KNOWN_ISSUES X-1). - api_
index GET /api— the agent-API discovery index (seeApiIndexDto).- health_
page - The human health screen: the HTML twin of
GET /api/health, sharingHealthDto— database reachability, migration currency, and live connection-pool utilization at a glance. Signed-in admins only (unauthenticated → sign-in page); the public/healthzJSON probe stays open for liveness, but the detailed view is admin/token-gated. - healthz
- Public liveness probe — minimal by design (KNOWN_ISSUES X-1):
{status, database.reachable}only, safe to expose unauthenticated at the edge for load balancers and agents. The detailed report (pool, dispatcher ports, corpus storage, remediations) is admin-only: the/healthscreen and its token-gated agent twinapi_health(GET /api/health). - post_
settings - Human write path: a native form POST from the Settings page; persists, then redirects back.
Gated by the signed-in
AdminSessioncookie (the Settings screen is signed-in-only; anonymous → sign-in). - put_
config - Agent write path: deep-merge a partial config patch, persist it, and return the masked result.
Token-gated via the
Actorguard — rewriting the running configuration (dispatcher ports, queue/result sizes, asset dirs, the job stall threshold) is a consequential mutation, so it requires a validX-Cortex-Tokenexactly like every other agent write (the human twinpost_settingsisAdminSession-gated).401without a token. - reindex
- Triggers an online index rebuild (
REINDEX (CONCURRENTLY)over the high-churn tables) as a background job — index bloat slows scans over time, and this rebuilds without an exclusive lock (DB ongoing-maintenance;docs/DB_TUNING.md). Token-gated; returns202+ the job handle, pollGET /api/jobs/<job>for per-table progress. Debounced. - reindex_
human - The human twin of
reindex: the health screen’s “Reindex database now” button. Gated by the signed-inAdminSessioncookie (the health screen is itself signed-in-only; anonymous → sign-in). Spawns the same debounced reindex job and redirects to/jobs. - routes
- The route set for the management/health/settings capability.
- settings
- The Settings page: the human (HTML) twin of
GET /api/config. Signed-in admins only (unauthenticated → sign-in page); the agent twin keeps the token guard.