feat(web): wire the SPA to the live bus via the gateway (drop mock)

Replace the mock data source with a real data layer that talks to the webgw
gateway over REST + SSE. The UI components keep their look and props; only
where the data comes from changed.

- src/api.ts: the single repository layer. fetch wrappers (same-origin cookie)
  for login/logout/me and rooms list/create/join/send, plus streamRoom() which
  opens an EventSource and yields each decrypted message. Wire->UI mappers
  (roomFromWire, messageFromWire).
- src/types.ts: add the gateway wire shapes (MeInfo, RoomWire, MsgWire) next to
  the existing UI types.
- App.tsx: probe /api/me on mount to resume an existing session; otherwise show
  Login. Logout calls the gateway.
- Login.tsx: the password field now unlocks the gateway session (operator
  passphrase); shows a basic error and a loading state. Wallet-per-browser is
  phase 2.
- ChatShell.tsx: load rooms from /api/rooms with loading / empty / error states;
  same Flex layout.
- ChatPanel.tsx: stream messages over SSE for the active room (dedup by id),
  composer sends through the gateway; no optimistic insert (the peer's own echo
  returns over SSE with the real frame id).
- vite.config.ts: dev proxy /api (REST + SSE) -> the gateway on :8481.

mock.ts is left untouched (no longer imported) to avoid churn with the parallel
styling work on master.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app.md

@@ -2,7 +2,7 @@
 name: unibus
 lang: go
 domain: infra
-version: 0.11.0
+version: 0.10.0
 description: "Bus de mensajería unificado sobre NATS+JetStream con cifrado E2E por room (megolm/olm reducido): service de membresía/claves, librería cliente y peers demo."
 tags: [service, messaging, nats, e2e]
 uses_functions:
@@ -169,26 +169,6 @@ agent.<nombre>.{in,out}   inbox/outbox de agente LLM (agent.scout.in)
 
 ## Capability growth log
 
-- v0.11.0 (2026-06-07) — flag dedicado `UNIBUS_NATS_MONITOR` que abre el endpoint
-  de monitoring HTTP del nats-server embebido (`127.0.0.1:8222`, loopback only) de
-  forma DESACOPLADA del debug-log. Antes el monitoring solo se abría con
-  `UNIBUS_NATS_DEBUG=1`, que además encendía el log verboso del nats-server
-  (rutas/RAFT/subjects a journald en claro) — incompatible con el endurecimiento
-  del issue 0007. El cómputo de los toggles se extrae a una función pura
-  `natsLogOpts(debugEnv, monitorEnv) (noLog, debug, trace, monitor)`: `MONITOR=1`
-  abre el endpoint dejando el log en silencio (`NoLog` true / `Debug` false), y se
-  mantiene el acoplamiento inverso por compatibilidad (`DEBUG` sigue implicando
-  `MONITOR`). El bind loopback `127.0.0.1` queda hardcoded — el monitoring NUNCA es
-  público y no lleva auth; lo lee un scraper local que empuja a VictoriaMetrics
-  (dashboard `unibus-nats` en `fleet_monitoring`). Se versiona el cableado de
-  deploy: drop-in systemd aditivo `membershipd-cluster.service.d/nats-monitor.conf`
-  (`Environment=UNIBUS_NATS_MONITOR=1`) + sección "NATS server metrics" en el
-  README del cluster con el runbook de activación rolling (magnus→homer→datardos)
-  y gate de reconvergencia R3 (`followers 2/2`) entre nodos. Tests nuevos: tabla
-  pura del desacoplamiento (monitor on ⇒ log NO debug; debug ⇒ monitor; default
-  cerrado) + server real con `MONITOR=1` que confirma `/varz` 200 en loopback:8222
-  y server sin flag con el endpoint cerrado. Cambios 100% aditivos: sin el flag el
-  comportamiento es idéntico; build/test verdes.
 - v0.10.0 (2026-06-07) — API HTTP admin-only de gestión de usuarios, cerrando la
   última asimetría del control plane: las rooms tenían superficie HTTP firmada
   (`POST /rooms`, etc.) pero los users solo se gestionaban por CLI local o acceso

cmd/webgw/gateway.go

@@ -0,0 +1,246 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"strings"
+	"sync"
+
+	cs "fn-registry/functions/cybersecurity"
+
+	"github.com/enmanuel/unibus/pkg/busauth"
+	"github.com/enmanuel/unibus/pkg/client"
+	"github.com/enmanuel/unibus/pkg/frame"
+	"github.com/enmanuel/unibus/pkg/room"
+)
+
+// gateway is the live web gateway: it owns the operator's identity and a single
+// connected unibus client, and turns the bus's crypto-bearing API into the plain
+// REST/SSE surface the browser consumes. The browser never signs, never speaks
+// NATS, and never sees a private key — the gateway is the legitimate room member
+// that seals/opens payloads on the browser's behalf.
+//
+// TRUST MODEL: content stays end-to-end encrypted on the wire. The gateway can
+// read plaintext because it acts AS the operator's client — a real member of
+// each room, holding the room key K like any peer. It is the same trust a native
+// desktop client has. In the wallet phase (per-browser WebCrypto identity) the
+// decryption can move into the browser; today, for the single-operator MVP, the
+// gateway decrypts server-side and pushes cleartext over a loopback/authenticated
+// SSE channel.
+type gateway struct {
+	id         cs.Identity
+	endpoint   string
+	cli        *client.Client
+	refreshACL bool // call RefreshSession after a membership change (needed under a per-subject ACL bus)
+
+	mu   sync.Mutex
+	hubs map[string]*roomHub // roomID -> live fan-out of decrypted frames to SSE clients
+}
+
+// gatewayConfig wires a live gateway.
+type gatewayConfig struct {
+	Identity cs.Identity
+	NatsURL  string
+	CtrlURL  string
+	CtrlURLs []string
+	NatsURLs []string
+	CAPath   string // bus CA; empty => plaintext dev connection (matches a loopback membershipd)
+}
+
+// newGateway connects the unibus client with the operator identity following the
+// same posture seam every peer uses: a non-empty CA path means TLS + nkey, empty
+// means plaintext dev. When a CA is configured the bus is assumed to enforce a
+// per-subject ACL, so membership changes trigger a session refresh.
+func newGateway(cfg gatewayConfig) (*gateway, error) {
+	opts := client.Options{
+		CtrlURLs:    cfg.CtrlURLs,
+		NatsServers: cfg.NatsURLs,
+	}
+	if cfg.CAPath != "" {
+		tlsCfg, err := busauth.LoadCATLSConfig(cfg.CAPath)
+		if err != nil {
+			return nil, fmt.Errorf("webgw: load bus CA %q: %w", cfg.CAPath, err)
+		}
+		opts.UseNkey = true
+		opts.TLS = tlsCfg
+		opts.CtrlTLS = tlsCfg
+	}
+	cli, err := client.NewWithOptions(cfg.NatsURL, cfg.CtrlURL, cfg.Identity, opts)
+	if err != nil {
+		return nil, fmt.Errorf("webgw: connect bus client: %w", err)
+	}
+	return &gateway{
+		id:         cfg.Identity,
+		endpoint:   frame.EndpointID(cfg.Identity.SignPub),
+		cli:        cli,
+		refreshACL: cfg.CAPath != "",
+		hubs:       map[string]*roomHub{},
+	}, nil
+}
+
+// Close stops every hub and releases the bus client connection.
+func (g *gateway) Close() error {
+	g.mu.Lock()
+	for _, h := range g.hubs {
+		h.stop()
+	}
+	g.hubs = map[string]*roomHub{}
+	g.mu.Unlock()
+	if g.cli != nil {
+		return g.cli.Close()
+	}
+	return nil
+}
+
+// ---- wire types (browser-facing JSON) ------------------------------------
+
+// meInfo is what GET /api/me returns: the operator identity the gateway acts as.
+type meInfo struct {
+	Endpoint string `json:"endpoint"`
+	SignPub  string `json:"sign_pub"`
+}
+
+// roomWire is the browser view of a room. It deliberately omits messages: those
+// stream over SSE (GET /api/rooms/{id}/stream), not in the room list.
+type roomWire struct {
+	ID       string `json:"id"`
+	Subject  string `json:"subject"`
+	Name     string `json:"name"`
+	Epoch    int    `json:"epoch"`
+	Encrypt  bool   `json:"encrypt"`
+	Persist  bool   `json:"persist"`
+	SignMsgs bool   `json:"sign_msgs"`
+	Role     string `json:"role"`
+}
+
+// createRoomReq is the POST /api/rooms body. Encrypt/Persist/SignMsgs are
+// pointers so an omitted field falls back to the chat default rather than to the
+// Go zero value (false). The common case — the browser sending only {subject,
+// encrypted} — maps encrypted onto all three (the Matrix-like chat policy).
+type createRoomReq struct {
+	Subject   string `json:"subject"`
+	Encrypted *bool  `json:"encrypted,omitempty"`
+	Encrypt   *bool  `json:"encrypt,omitempty"`
+	Persist   *bool  `json:"persist,omitempty"`
+	SignMsgs  *bool  `json:"sign_msgs,omitempty"`
+}
+
+// policy resolves the requested policy. A bare {subject} defaults to the
+// Matrix-like chat room (encrypted + persisted + signed) so a created room keeps
+// durable, end-to-end-encrypted, authored history. Callers can override any leg.
+func (r createRoomReq) policy() room.Policy {
+	enc, per, sig := true, true, true
+	if r.Encrypted != nil {
+		enc, per, sig = *r.Encrypted, *r.Encrypted, *r.Encrypted
+	}
+	if r.Encrypt != nil {
+		enc = *r.Encrypt
+	}
+	if r.Persist != nil {
+		per = *r.Persist
+	}
+	if r.SignMsgs != nil {
+		sig = *r.SignMsgs
+	}
+	return room.Policy{Encrypt: enc, Persist: per, SignMsgs: sig}
+}
+
+// sendReq is the POST /api/rooms/{id}/send body.
+type sendReq struct {
+	Body string `json:"body"`
+}
+
+// msgWire is one decrypted message pushed over SSE.
+type msgWire struct {
+	ID     string `json:"id"`
+	Sender string `json:"sender"`
+	Body   string `json:"body"`
+	TS     int64  `json:"ts"` // epoch ms (decoded from the frame's ULID id)
+	Mine   bool   `json:"mine"`
+}
+
+// ---- operations -----------------------------------------------------------
+
+func (g *gateway) me() meInfo {
+	return meInfo{Endpoint: g.endpoint, SignPub: hex.EncodeToString(g.id.SignPub)}
+}
+
+// subjectName derives a short, human-friendly room name from its bus subject by
+// dropping the leading namespace segment (room., test., proc., agent.). It is a
+// display nicety only; the canonical identity stays the subject/room id.
+func subjectName(subject string) string {
+	for _, p := range []string{"room.", "test.", "proc.", "agent.", "rpc."} {
+		if strings.HasPrefix(subject, p) {
+			return strings.TrimPrefix(subject, p)
+		}
+	}
+	return subject
+}
+
+func (g *gateway) listRooms() ([]roomWire, error) {
+	rooms, err := g.cli.ListMyRooms()
+	if err != nil {
+		return nil, err
+	}
+	out := make([]roomWire, 0, len(rooms))
+	for _, rm := range rooms {
+		out = append(out, roomWire{
+			ID:       rm.RoomID,
+			Subject:  rm.Subject,
+			Name:     subjectName(rm.Subject),
+			Epoch:    rm.Epoch,
+			Encrypt:  rm.Policy.Encrypt,
+			Persist:  rm.Policy.Persist,
+			SignMsgs: rm.Policy.SignMsgs,
+			Role:     rm.Role,
+		})
+	}
+	return out, nil
+}
+
+func (g *gateway) createRoom(req createRoomReq) (roomWire, error) {
+	subject := strings.TrimSpace(req.Subject)
+	if subject == "" {
+		return roomWire{}, fmt.Errorf("webgw: subject required")
+	}
+	p := req.policy()
+	roomID, err := g.cli.CreateRoom(subject, p)
+	if err != nil {
+		return roomWire{}, err
+	}
+	// Under a per-subject ACL the operator's frozen NATS permissions do not yet
+	// cover the new room's subject; refresh so subsequent data-plane use works. On
+	// a plaintext/non-ACL dev bus this is unnecessary and would needlessly drop any
+	// live SSE subscriptions, so it is gated on the secured posture.
+	if g.refreshACL {
+		_ = g.cli.RefreshSession()
+	}
+	return roomWire{
+		ID:       roomID,
+		Subject:  subject,
+		Name:     subjectName(subject),
+		Epoch:    1,
+		Encrypt:  p.Encrypt,
+		Persist:  p.Persist,
+		SignMsgs: p.SignMsgs,
+		Role:     "owner",
+	}, nil
+}
+
+// join resolves room metadata and (for encrypted rooms) fetches the room key so
+// the gateway can later open payloads. Idempotent.
+func (g *gateway) join(roomID string) error {
+	if err := g.cli.Join(roomID); err != nil {
+		return err
+	}
+	if g.refreshACL {
+		_ = g.cli.RefreshSession()
+	}
+	return nil
+}
+
+// send publishes plaintext to a room. The unibus client seals it with the room
+// key (encrypted rooms) and signs it (signed rooms) before it leaves the process.
+func (g *gateway) send(roomID, body string) error {
+	return g.cli.Publish(roomID, []byte(body))
+}

cmd/webgw/hub.go

@@ -0,0 +1,140 @@
+package main
+
+import (
+	"sync"
+
+	"github.com/enmanuel/unibus/pkg/client"
+	"github.com/enmanuel/unibus/pkg/frame"
+	"github.com/oklog/ulid/v2"
+)
+
+// roomHub multiplexes ONE unibus room subscription to MANY SSE clients. The
+// unibus client derives a per-(room, endpoint) durable consumer name, so a
+// second Subscribe for the same room from the same operator would contend for
+// the same durable (load-balanced delivery) rather than each browser receiving
+// every message. The hub holds a single subscription per room and fans each
+// decrypted frame out to every connected browser, which also means the gateway
+// opens at most one bus subscription per room regardless of how many tabs watch
+// it.
+type roomHub struct {
+	roomID     string
+	myEndpoint string
+	sub        *client.Sub
+
+	mu      sync.Mutex
+	clients map[chan msgWire]struct{}
+}
+
+// frameTS decodes the millisecond timestamp embedded in a frame's ULID id. A
+// malformed id (should not happen for bus-produced frames) yields 0, which the
+// browser renders without crashing.
+func frameTS(msgID string) int64 {
+	id, err := ulid.Parse(msgID)
+	if err != nil {
+		return 0
+	}
+	return int64(id.Time())
+}
+
+// newRoomHub opens the single bus subscription for roomID and starts fanning
+// decrypted frames out to registered clients. The room must already be joined
+// (so the gateway holds the room key) before this is called.
+func newRoomHub(cli *client.Client, roomID, myEndpoint string) (*roomHub, error) {
+	h := &roomHub{
+		roomID:     roomID,
+		myEndpoint: myEndpoint,
+		clients:    map[chan msgWire]struct{}{},
+	}
+	sub, err := cli.Subscribe(roomID, func(f frame.Frame, plaintext []byte) {
+		m := msgWire{
+			ID:     f.MsgID,
+			Sender: f.Sender,
+			Body:   string(plaintext),
+			TS:     frameTS(f.MsgID),
+			Mine:   f.Sender == myEndpoint,
+		}
+		h.broadcast(m)
+	})
+	if err != nil {
+		return nil, err
+	}
+	h.sub = sub
+	return h, nil
+}
+
+// broadcast delivers a message to every registered client without blocking the
+// NATS delivery goroutine: a client whose buffer is full (a stalled browser)
+// drops this frame rather than stalling the whole room.
+func (h *roomHub) broadcast(m msgWire) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	for ch := range h.clients {
+		select {
+		case ch <- m:
+		default:
+		}
+	}
+}
+
+// add registers a new SSE client channel.
+func (h *roomHub) add(ch chan msgWire) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	h.clients[ch] = struct{}{}
+}
+
+// stop unsubscribes from the bus. Local delivery ends; for a persisted room the
+// durable consumer's ack position stays on the server, so a later subscription
+// with the same operator resumes from where it left off.
+func (h *roomHub) stop() {
+	if h.sub != nil {
+		_ = h.sub.Unsubscribe()
+	}
+}
+
+// openStream joins the room (idempotent; fetches the room key for encrypted
+// rooms), attaches an SSE client to the room's hub (creating it on first watcher),
+// and returns the client's message channel plus a cleanup func. The cleanup
+// detaches the client and, when it was the last watcher, tears down the room's
+// single bus subscription.
+func (g *gateway) openStream(roomID string) (chan msgWire, func(), error) {
+	if err := g.join(roomID); err != nil {
+		return nil, nil, err
+	}
+	g.mu.Lock()
+	h := g.hubs[roomID]
+	if h == nil {
+		var err error
+		h, err = newRoomHub(g.cli, roomID, g.endpoint)
+		if err != nil {
+			g.mu.Unlock()
+			return nil, nil, err
+		}
+		g.hubs[roomID] = h
+	}
+	g.mu.Unlock()
+
+	// Buffer so a brief render hitch in the browser does not drop live frames; a
+	// sustained stall still drops (broadcast is non-blocking) rather than wedging
+	// the room.
+	ch := make(chan msgWire, 64)
+	h.add(ch)
+
+	// cleanup takes g.mu before h.mu (the single, consistent lock order) so a
+	// concurrent openStream that re-creates the hub cannot race the teardown.
+	cleanup := func() {
+		g.mu.Lock()
+		defer g.mu.Unlock()
+		h.mu.Lock()
+		delete(h.clients, ch)
+		empty := len(h.clients) == 0
+		h.mu.Unlock()
+		if empty {
+			if cur := g.hubs[roomID]; cur == h {
+				delete(g.hubs, roomID)
+				h.stop()
+			}
+		}
+	}
+	return ch, cleanup, nil
+}

cmd/webgw/identity.go

@@ -0,0 +1,98 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+
+	cs "fn-registry/functions/cybersecurity"
+)
+
+// identityJSON mirrors the on-disk / pass-stored identity format shared across
+// the unibus tooling: the four keypair halves, each std-base64. It is the SAME
+// shape the bus client persists (pkg/client identity file) and the operator's
+// `pass` entry unibus/operator-identity, so the web gateway loads the operator's
+// identity without a divergent serialization. Kept in lockstep with
+// unibus_admin/internal/admin/identity.go.
+type identityJSON struct {
+	SignPub  string `json:"sign_pub"`
+	SignPriv string `json:"sign_priv"`
+	KexPub   string `json:"kex_pub"`
+	KexPriv  string `json:"kex_priv"`
+}
+
+// decodeIdentity turns the JSON identity bytes into a cs.Identity. The private
+// halves stay only in memory; this never writes them anywhere.
+func decodeIdentity(raw []byte) (cs.Identity, error) {
+	var f identityJSON
+	if err := json.Unmarshal(raw, &f); err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: parse identity json: %w", err)
+	}
+	dec := base64.StdEncoding.DecodeString
+	signPub, err := dec(f.SignPub)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode sign_pub: %w", err)
+	}
+	signPriv, err := dec(f.SignPriv)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode sign_priv: %w", err)
+	}
+	kexPub, err := dec(f.KexPub)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode kex_pub: %w", err)
+	}
+	kexPriv, err := dec(f.KexPriv)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode kex_priv: %w", err)
+	}
+	if len(signPub) != 32 || len(signPriv) != 64 || len(kexPub) != 32 || len(kexPriv) != 32 {
+		return cs.Identity{}, fmt.Errorf("webgw: identity has wrong key sizes (sign_pub=%d sign_priv=%d kex_pub=%d kex_priv=%d)",
+			len(signPub), len(signPriv), len(kexPub), len(kexPriv))
+	}
+	return cs.Identity{SignPub: signPub, SignPriv: signPriv, KexPub: kexPub, KexPriv: kexPriv}, nil
+}
+
+// loadIdentityFromFile reads a 0600 identity JSON file (the same format the bus
+// client writes) and decodes it. Used on a deploy host where `pass` is not
+// available and the operator identity is delivered as a protected file.
+func loadIdentityFromFile(path string) (cs.Identity, error) {
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: read identity file %q: %w", path, err)
+	}
+	return decodeIdentity(raw)
+}
+
+// loadIdentityFromPass shells out to `pass show <entry>` and decodes the JSON
+// identity it returns. The secret is held only in memory; this process never
+// writes it to disk or argv. Used in local operator workflows where the GNU
+// password store holds unibus/operator-identity.
+func loadIdentityFromPass(entry string) (cs.Identity, error) {
+	out, err := exec.Command("pass", "show", entry).Output()
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: pass show %q: %w", entry, err)
+	}
+	return decodeIdentity(out)
+}
+
+// loadPassValue returns the first line of a `pass show <entry>` for non-identity
+// secrets (e.g. the unlock passphrase). Empty entry yields an empty string and
+// no error, so callers can treat "no pass entry configured" as "not set".
+func loadPassValue(entry string) (string, error) {
+	if entry == "" {
+		return "", nil
+	}
+	out, err := exec.Command("pass", "show", entry).Output()
+	if err != nil {
+		return "", fmt.Errorf("webgw: pass show %q: %w", entry, err)
+	}
+	s := string(out)
+	for i := 0; i < len(s); i++ {
+		if s[i] == '\n' || s[i] == '\r' {
+			return s[:i], nil
+		}
+	}
+	return s, nil
+}

cmd/webgw/main.go

@@ -0,0 +1,180 @@
+// Command webgw is the web gateway for the unibus chat SPA. It is a single Go
+// binary that holds the operator's bus identity, connects to the bus as a real
+// authenticated peer (pkg/client), and exposes a small REST + SSE API the
+// browser consumes. The browser never signs, never speaks NATS, and never sees a
+// private key: it authenticates to the gateway with a passphrase and thereafter
+// holds only an opaque session cookie.
+//
+// TRUST MODEL (MVP, single operator): room content stays end-to-end encrypted on
+// the bus. The gateway can read plaintext because it acts AS the operator's
+// client — a legitimate member of each room holding the room key. Decryption
+// happens server-side in this process; cleartext then crosses an authenticated
+// (loopback or TLS-fronted) SSE channel to the browser. The wallet phase (issue:
+// per-browser WebCrypto identity) can move decryption into the browser; see the
+// report for the FASE 2 plan.
+//
+//	# local dev against a loopback membershipd (plaintext), operator from pass:
+//	webgw --identity-pass unibus/operator-identity \
+//	  --ctrl-url http://127.0.0.1:8470 --nats-url nats://127.0.0.1:4250
+//
+//	# secured cluster (TLS + nkey on both planes), identity from a 0600 file:
+//	webgw --ca ca.crt --identity-file operator.id \
+//	  --ctrl-url https://node-a:8470 --nats-url nats://node-a:4250 \
+//	  --ctrl-urls https://node-b:8470,https://node-c:8470 \
+//	  --nats-urls nats://node-b:4250,nats://node-c:4250
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	cs "fn-registry/functions/cybersecurity"
+)
+
+func main() {
+	var (
+		bind         = flag.String("bind", "127.0.0.1", "interface to bind the gateway HTTP server to (loopback by default)")
+		port         = flag.String("port", "8481", "gateway HTTP port")
+		ctrlURL      = flag.String("ctrl-url", "http://127.0.0.1:8470", "primary unibus control-plane base URL")
+		ctrlURLs     = flag.String("ctrl-urls", "", "comma-separated ADDITIONAL control-plane base URLs (cluster failover)")
+		natsURL      = flag.String("nats-url", "nats://127.0.0.1:4250", "primary NATS URL")
+		natsURLs     = flag.String("nats-urls", "", "comma-separated ADDITIONAL NATS seed URLs (cluster failover)")
+		caPath       = flag.String("ca", "", "bus CA cert path; set to talk TLS+nkey to a secured bus (empty = plaintext dev)")
+		identityFile = flag.String("identity-file", "", "path to the operator identity JSON file (0600). Mutually exclusive with --identity-pass")
+		identityPass = flag.String("identity-pass", "", "pass(1) entry holding the operator identity JSON, e.g. unibus/operator-identity")
+		unlockPass   = flag.String("unlock-pass", "", "literal passphrase the browser must send to unlock a session (dev). Prefer --unlock-pass-entry")
+		unlockEntry  = flag.String("unlock-pass-entry", "unibus/admin-panel-password", "pass(1) entry holding the unlock passphrase (used when --unlock-pass is empty)")
+		webDir       = flag.String("web-dir", "", "OPTIONAL path to the built SPA (web/dist) to serve. Empty = API only (use vite dev server)")
+	)
+	flag.Parse()
+
+	log.SetFlags(log.LstdFlags | log.Lmsgprefix)
+	log.SetPrefix("[webgw] ")
+
+	id, err := loadIdentity(*identityFile, *identityPass)
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+
+	unlock := *unlockPass
+	if unlock == "" {
+		unlock, err = loadPassValue(*unlockEntry)
+		if err != nil {
+			log.Fatalf("resolve unlock passphrase: %v", err)
+		}
+	}
+	if unlock == "" {
+		log.Fatalf("an unlock passphrase is required: set --unlock-pass or a non-empty --unlock-pass-entry (default unibus/admin-panel-password)")
+	}
+
+	resolvedWebDir := resolveWebDir(*webDir)
+
+	gw, err := newGateway(gatewayConfig{
+		Identity: id,
+		NatsURL:  *natsURL,
+		CtrlURL:  *ctrlURL,
+		CtrlURLs: splitCSV(*ctrlURLs),
+		NatsURLs: splitCSV(*natsURLs),
+		CAPath:   *caPath,
+	})
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+	defer gw.Close()
+
+	log.Printf("operator endpoint: %s", gw.endpoint)
+	log.Printf("control plane: %s (+%d failover)", *ctrlURL, len(splitCSV(*ctrlURLs)))
+	tls := "OFF (plaintext dev)"
+	if *caPath != "" {
+		tls = "ON (CA " + *caPath + ")"
+	}
+	log.Printf("bus TLS+nkey: %s", tls)
+	if resolvedWebDir != "" {
+		log.Printf("serving SPA from: %s", resolvedWebDir)
+	} else {
+		log.Printf("API only (no --web-dir): use the vite dev server with a /api+stream proxy")
+	}
+
+	srv := newServer(gw, unlock, resolvedWebDir)
+	addr := *bind + ":" + *port
+	httpSrv := &http.Server{
+		Addr:    addr,
+		Handler: srv,
+		// No global write timeout: SSE streams are long-lived. Header timeout still
+		// bounds slowloris on the request line/headers.
+		ReadHeaderTimeout: 10 * time.Second,
+	}
+
+	go func() {
+		log.Printf("web gateway: http://%s", addr)
+		if err := httpSrv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Fatalf("http server: %v", err)
+		}
+	}()
+
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
+	<-stop
+	log.Printf("shutting down...")
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	_ = httpSrv.Shutdown(ctx)
+	log.Printf("bye")
+}
+
+// loadIdentity resolves the operator identity from exactly one of --identity-file
+// or --identity-pass.
+func loadIdentity(file, passEntry string) (cs.Identity, error) {
+	switch {
+	case file != "" && passEntry != "":
+		return cs.Identity{}, errFlag("set only one of --identity-file or --identity-pass")
+	case file != "":
+		return loadIdentityFromFile(file)
+	case passEntry != "":
+		return loadIdentityFromPass(passEntry)
+	default:
+		return cs.Identity{}, errFlag("an identity is required: pass --identity-file <path> or --identity-pass <entry>")
+	}
+}
+
+// resolveWebDir validates the --web-dir flag. An empty flag means API-only. A
+// non-empty dir is kept only if it actually holds an index.html, so a typo logs
+// "API only" rather than serving 404s.
+func resolveWebDir(dir string) string {
+	if dir == "" {
+		return ""
+	}
+	abs, err := filepath.Abs(dir)
+	if err != nil {
+		log.Printf("WARN --web-dir %q: %v; serving API only", dir, err)
+		return ""
+	}
+	if !statFile(filepath.Join(abs, "index.html")) {
+		log.Printf("WARN --web-dir %q has no index.html; serving API only", abs)
+		return ""
+	}
+	return abs
+}
+
+type flagErr string
+
+func (e flagErr) Error() string { return string(e) }
+func errFlag(s string) error    { return flagErr("webgw: " + s) }
+
+func splitCSV(s string) []string {
+	var out []string
+	for _, p := range strings.Split(s, ",") {
+		if p = strings.TrimSpace(p); p != "" {
+			out = append(out, p)
+		}
+	}
+	return out
+}

cmd/webgw/server.go

@@ -0,0 +1,301 @@
+package main
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/hex"
+	"encoding/json"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+// sessionCookie is the name of the gateway's session cookie. The browser sends
+// it automatically on same-origin fetches AND on EventSource (SSE) connections —
+// EventSource cannot set custom headers, so a cookie is the only way to
+// authenticate the stream. It is HttpOnly so page JS can never read the token.
+const sessionCookie = "unibus_session"
+
+// server is the gateway's HTTP surface: a small REST/SSE API under /api gated by
+// a session cookie, plus an optional static file server for the built SPA. The
+// gateway's privileged operator identity never leaves the process; the browser
+// authenticates with a passphrase and thereafter holds only an opaque session
+// token.
+type server struct {
+	gw     *gateway
+	unlock string // passphrase that unlocks a session (compared in constant time)
+	webDir string // optional path to the built SPA (web/dist); empty = API only
+	mux    *http.ServeMux
+
+	mu       sync.Mutex
+	sessions map[string]time.Time // token -> issued-at
+}
+
+func newServer(gw *gateway, unlock, webDir string) *server {
+	s := &server{
+		gw:       gw,
+		unlock:   unlock,
+		webDir:   webDir,
+		mux:      http.NewServeMux(),
+		sessions: map[string]time.Time{},
+	}
+	s.routes()
+	return s
+}
+
+func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) { s.mux.ServeHTTP(w, r) }
+
+func (s *server) routes() {
+	// Liveness, unauthenticated (systemd / deploy smoke).
+	s.mux.HandleFunc("GET /healthz", func(w http.ResponseWriter, _ *http.Request) {
+		writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+	})
+
+	// Auth: login is the only /api route reachable without a session.
+	s.mux.HandleFunc("POST /api/login", s.handleLogin)
+	s.mux.HandleFunc("POST /api/logout", s.auth(s.handleLogout))
+	s.mux.HandleFunc("GET /api/me", s.auth(s.handleMe))
+
+	s.mux.HandleFunc("GET /api/rooms", s.auth(s.handleListRooms))
+	s.mux.HandleFunc("POST /api/rooms", s.auth(s.handleCreateRoom))
+	s.mux.HandleFunc("POST /api/rooms/{id}/join", s.auth(s.handleJoin))
+	s.mux.HandleFunc("POST /api/rooms/{id}/send", s.auth(s.handleSend))
+	s.mux.HandleFunc("GET /api/rooms/{id}/stream", s.auth(s.handleStream))
+
+	// Everything else is the SPA (when --web-dir is set). Registered last.
+	if s.webDir != "" {
+		s.mux.Handle("/", s.spaHandler())
+	}
+}
+
+// ---- auth -----------------------------------------------------------------
+
+// auth wraps a handler so it runs only with a valid session cookie. A missing or
+// unknown token yields 401, which the SPA treats as "show the login screen".
+func (s *server) auth(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		c, err := r.Cookie(sessionCookie)
+		if err != nil || !s.validSession(c.Value) {
+			writeErr(w, http.StatusUnauthorized, "not authenticated")
+			return
+		}
+		next(w, r)
+	}
+}
+
+func (s *server) validSession(token string) bool {
+	if token == "" {
+		return false
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	_, ok := s.sessions[token]
+	return ok
+}
+
+func (s *server) handleLogin(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		Passphrase string `json:"passphrase"`
+	}
+	if !decode(w, r, &req) {
+		return
+	}
+	// Constant-time compare so a wrong passphrase cannot be timed character by
+	// character. An empty configured passphrase never matches (main refuses to
+	// start without one, so this is defense in depth).
+	if s.unlock == "" || subtle.ConstantTimeCompare([]byte(req.Passphrase), []byte(s.unlock)) != 1 {
+		writeErr(w, http.StatusUnauthorized, "wrong passphrase")
+		return
+	}
+	tok := newToken()
+	s.mu.Lock()
+	s.sessions[tok] = time.Now()
+	s.mu.Unlock()
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     sessionCookie,
+		Value:    tok,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	writeJSON(w, http.StatusOK, s.gw.me())
+}
+
+func (s *server) handleLogout(w http.ResponseWriter, r *http.Request) {
+	if c, err := r.Cookie(sessionCookie); err == nil {
+		s.mu.Lock()
+		delete(s.sessions, c.Value)
+		s.mu.Unlock()
+	}
+	http.SetCookie(w, &http.Cookie{Name: sessionCookie, Value: "", Path: "/", MaxAge: -1, HttpOnly: true})
+	writeJSON(w, http.StatusOK, map[string]string{"status": "logged_out"})
+}
+
+func (s *server) handleMe(w http.ResponseWriter, _ *http.Request) {
+	writeJSON(w, http.StatusOK, s.gw.me())
+}
+
+// ---- rooms ----------------------------------------------------------------
+
+func (s *server) handleListRooms(w http.ResponseWriter, _ *http.Request) {
+	rooms, err := s.gw.listRooms()
+	if err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, rooms)
+}
+
+func (s *server) handleCreateRoom(w http.ResponseWriter, r *http.Request) {
+	var req createRoomReq
+	if !decode(w, r, &req) {
+		return
+	}
+	rv, err := s.gw.createRoom(req)
+	if err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusCreated, rv)
+}
+
+func (s *server) handleJoin(w http.ResponseWriter, r *http.Request) {
+	if err := s.gw.join(r.PathValue("id")); err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "joined"})
+}
+
+func (s *server) handleSend(w http.ResponseWriter, r *http.Request) {
+	var req sendReq
+	if !decode(w, r, &req) {
+		return
+	}
+	if strings.TrimSpace(req.Body) == "" {
+		writeErr(w, http.StatusBadRequest, "body required")
+		return
+	}
+	if err := s.gw.send(r.PathValue("id"), req.Body); err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "sent"})
+}
+
+// handleStream is the SSE endpoint: it joins the room, attaches to the room's
+// fan-out hub, and streams each decrypted message as a `data:` event. For a
+// persisted room the hub's underlying subscription delivers history first
+// (scrollback) and then live messages; for an ephemeral room only live messages
+// flow. The stream ends when the browser disconnects (ctx cancelled).
+func (s *server) handleStream(w http.ResponseWriter, r *http.Request) {
+	flusher, ok := w.(http.Flusher)
+	if !ok {
+		writeErr(w, http.StatusInternalServerError, "streaming unsupported")
+		return
+	}
+	ch, cleanup, err := s.gw.openStream(r.PathValue("id"))
+	if err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	defer cleanup()
+
+	w.Header().Set("Content-Type", "text/event-stream")
+	w.Header().Set("Cache-Control", "no-cache")
+	w.Header().Set("Connection", "keep-alive")
+	w.Header().Set("X-Accel-Buffering", "no") // disable proxy buffering (nginx/caddy)
+	w.WriteHeader(http.StatusOK)
+	// An initial comment opens the stream immediately so the browser's
+	// EventSource fires `onopen` without waiting for the first message.
+	_, _ = w.Write([]byte(": connected\n\n"))
+	flusher.Flush()
+
+	ctx := r.Context()
+	ping := time.NewTicker(25 * time.Second)
+	defer ping.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ping.C:
+			// Comment line keeps idle proxies from closing the connection.
+			if _, err := w.Write([]byte(": ping\n\n")); err != nil {
+				return
+			}
+			flusher.Flush()
+		case m := <-ch:
+			b, err := json.Marshal(m)
+			if err != nil {
+				continue
+			}
+			if _, err := w.Write([]byte("data: " + string(b) + "\n\n")); err != nil {
+				return
+			}
+			flusher.Flush()
+		}
+	}
+}
+
+// ---- SPA serving (optional) -----------------------------------------------
+
+// spaHandler serves the built SPA from s.webDir. A request for an existing asset
+// is served directly; any other path (a client-side route) falls back to
+// index.html so the SPA router can take over. /api and /healthz are matched first.
+func (s *server) spaHandler() http.Handler {
+	root := http.Dir(s.webDir)
+	fileServer := http.FileServer(root)
+	index := filepath.Join(s.webDir, "index.html")
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		p := strings.TrimPrefix(r.URL.Path, "/")
+		if p == "" {
+			http.ServeFile(w, r, index)
+			return
+		}
+		if f, err := root.Open(p); err == nil {
+			_ = f.Close()
+			fileServer.ServeHTTP(w, r)
+			return
+		}
+		http.ServeFile(w, r, index) // unknown path -> SPA client-side routing
+	})
+}
+
+// ---- helpers --------------------------------------------------------------
+
+func newToken() string {
+	b := make([]byte, 32)
+	_, _ = rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+func writeJSON(w http.ResponseWriter, code int, v any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(code)
+	_ = json.NewEncoder(w).Encode(v)
+}
+
+func writeErr(w http.ResponseWriter, code int, msg string) {
+	writeJSON(w, code, map[string]string{"error": msg})
+}
+
+// decode reads a JSON body into v, writing a 400 and returning false on failure.
+func decode(w http.ResponseWriter, r *http.Request, v any) bool {
+	defer r.Body.Close()
+	if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 1<<20)).Decode(v); err != nil {
+		writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
+		return false
+	}
+	return true
+}
+
+// statFile reports whether path exists and is a regular file (used to validate
+// --web-dir at startup so a typo surfaces as a clear log line, not 404s later).
+func statFile(path string) bool {
+	fi, err := os.Stat(path)
+	return err == nil && !fi.IsDir()
+}

deploy/cluster/README.md

@@ -283,61 +283,3 @@ ssh dd 'sudo systemctl start membershipd-cluster'   # rejoins, catches up
 the unit and start it without `--store kv`/`--cluster-name`; the KV buckets remain
 for a later retry. To rotate the cluster CA, re-run `generate-cluster-certs.sh
 --force` and re-stage (every node must get the new `cluster-ca.crt` together).
-
-## NATS server metrics (loopback monitoring — optional)
-
-The embedded NATS server can expose its own monitoring HTTP endpoint so a local
-scraper reads server-level metrics that `/healthz` does not surface: msgs/s,
-connections, slow consumers, memory, KV bucket message counts, the RAFT leader per
-stream and per-stream restarts. This feeds the `unibus-nats` dashboard in
-`fleet_monitoring` (the scraper hits `127.0.0.1:8222/varz|/connz|/jsz` over
-loopback and pushes to VictoriaMetrics).
-
-The endpoint is opened by the **dedicated** environment toggle `UNIBUS_NATS_MONITOR=1`
-(0.11.0+ binary). It is **decoupled** from `UNIBUS_NATS_DEBUG`: it opens the
-monitoring endpoint WITHOUT enabling the verbose nats-server debug log, so no room
-subjects or routing metadata leak to journald (keeps the hardened posture, issue
-0007). The endpoint binds `127.0.0.1:8222` **only** — the binary hardcodes the
-loopback bind, so it is never reachable from the network and needs no auth. Never
-use `UNIBUS_NATS_DEBUG` in production just to get the endpoint.
-
-### Enable it (HUMAN — requires the 0.11.0+ binary on the node)
-
-The clean way is the additive systemd drop-in in this directory:
-
-```bash
-# On each node, AFTER the 0.11.0+ binary is in /opt/unibus/membershipd:
-ssh <node> 'sudo mkdir -p /etc/systemd/system/membershipd-cluster.service.d'
-scp membershipd-cluster.service.d/nats-monitor.conf <node>:/tmp/nats-monitor.conf
-ssh <node> 'sudo cp /tmp/nats-monitor.conf /etc/systemd/system/membershipd-cluster.service.d/ \
-  && sudo systemctl daemon-reload && sudo systemctl restart membershipd-cluster'
-```
-
-(Equivalently, add `UNIBUS_NATS_MONITOR=1` to `/opt/unibus/cluster.env`, which the
-unit already sources via `EnvironmentFile`; the drop-in is preferred because it is
-self-documenting and does not edit the generated env file.)
-
-### Rolling restart with the R3 reconvergence gate (CRITICAL)
-
-`systemctl restart membershipd-cluster` restarts that node's JetStream RAFT member.
-**Never restart two nodes at once** — that would drop the cluster below quorum
-(2/3) and fail the control plane closed. Roll **one node at a time**, in the order
-`magnus → homer → datardos`, and between each node wait until the cluster has
-reconverged to R3 (every control-plane bucket back to `followers_current=2/2`):
-
-```bash
-# After restarting ONE node, gate on R3 reconvergence before touching the next:
-ssh root@magnus 'for s in KV_UNIBUS_users KV_UNIBUS_rooms KV_UNIBUS_members \
-  KV_UNIBUS_room_keys KV_UNIBUS_rooms_by_member KV_UNIBUS_nonces; do
-    nats --server nats://127.0.0.1:4250 stream info "$s" -j \
-      | jq -r --arg s "$s" \"\\($s): replicas=\\(.cluster.replicas|length) leader=\\(.cluster.leader)\"
-  done'
-# Proceed to the next node ONLY when all six show 3 replicas with a leader
-# (i.e. 2/2 followers current). Also confirm healthz is green on the just-restarted
-# node first:
-ssh <node> 'curl -fsS https://127.0.0.1:8470/healthz --cacert /opt/unibus/tls/ca.crt'
-```
-
-This restart is normally **not** done as a standalone step: the 0.11.0 binary that
-carries the flag is rolled to the three nodes in the consolidated rollout, and the
-drop-in is installed during that same rolling restart.

deploy/cluster/membershipd-cluster.service.d/nats-monitor.conf

@@ -1,27 +0,0 @@
-# Drop-in: enable the embedded NATS server monitoring HTTP endpoint so a local
-# metrics scraper can read /varz, /connz and /jsz for server-level metrics
-# (msgs/s, connections, KV bucket msgs, RAFT leader per stream, restarts).
-#
-# ADDITIVE and minimal: it only sets one environment variable; the base unit
-# (membershipd-cluster.service) is otherwise unchanged.
-#
-# UNIBUS_NATS_MONITOR is DECOUPLED from UNIBUS_NATS_DEBUG: it opens the monitoring
-# endpoint WITHOUT enabling the verbose nats-server debug log, so no room subjects
-# or routing metadata are written to journald (keeps the hardened posture, issue
-# 0007). Do NOT use UNIBUS_NATS_DEBUG in production just to get the endpoint.
-#
-# The endpoint binds 127.0.0.1:8222 ONLY — the binary hardcodes the loopback bind,
-# so it is never reachable from the network and needs no auth. The scraper runs on
-# the same host and reads it over loopback.
-#
-# Requires the 0.11.0+ membershipd binary (the one that honors UNIBUS_NATS_MONITOR).
-# Install on a node:
-#   sudo mkdir -p /etc/systemd/system/membershipd-cluster.service.d
-#   sudo cp nats-monitor.conf /etc/systemd/system/membershipd-cluster.service.d/
-#   sudo systemctl daemon-reload && sudo systemctl restart membershipd-cluster
-#
-# Restarting a node restarts its JetStream RAFT member, so roll ONE node at a time
-# and wait for R3 reconvergence (followers 2/2) before touching the next. See the
-# "NATS server metrics" section of this directory's README for the full runbook.
-[Service]
-Environment=UNIBUS_NATS_MONITOR=1

pkg/embeddednats/embeddednats.go

@@ -103,38 +103,17 @@ func StartHostAuth(storeDir, host string, port int, auth server.Authentication)
 	return StartServer(ServerConfig{StoreDir: storeDir, Host: host, Port: port, Auth: auth})
 }
 
-// natsLogOpts maps the two independent environment toggles to the embedded
-// nats-server logging and monitoring flags. It is a pure function (no I/O) so the
-// decoupling between the two toggles can be unit-tested directly.
-//
-//   - UNIBUS_NATS_DEBUG="1" enables the nats-server logger (route/RAFT/JetStream
-//     errors); "2" additionally enables protocol tracing. Off by default so the
-//     server stays silent (NoLog) and production behavior is unchanged.
-//   - UNIBUS_NATS_MONITOR="1" opens the monitoring HTTP endpoint (loopback only)
-//     for a local metrics scraper to read /varz, /connz and /jsz.
-//
-// The two are DECOUPLED on purpose: enabling the monitoring endpoint must NOT turn
-// on the verbose debug log, which would write room subjects and routing metadata
-// to journald in clear and regress the hardened posture (issue 0007). The reverse
-// coupling is kept for backward compatibility: debug mode still exposes the
-// monitoring endpoint as well (debug implies monitor), so existing debugging
-// workflows are unchanged.
-func natsLogOpts(debugEnv, monitorEnv string) (noLog, debug, trace, monitor bool) {
-	debug = debugEnv == "1" || debugEnv == "2"
-	trace = debugEnv == "2"
-	monitor = monitorEnv == "1" || debug
-	noLog = !debug
-	return noLog, debug, trace, monitor
-}
-
 // StartServer launches an embedded nats-server with JetStream from cfg. It
 // blocks until the server is ready to accept connections (up to 5s) and returns
 // the running server; the caller must Shutdown it.
 func StartServer(cfg ServerConfig) (*server.Server, error) {
-	// Map the two independent env toggles to the nats-server logging + monitoring
-	// flags. See natsLogOpts for the decoupling rationale (issue 0007).
-	noLog, debugNATS, traceNATS, monitorNATS := natsLogOpts(
-		os.Getenv("UNIBUS_NATS_DEBUG"), os.Getenv("UNIBUS_NATS_MONITOR"))
+	// Diagnostic toggle: UNIBUS_NATS_DEBUG=1 enables the embedded nats-server's own
+	// logger (route/RAFT/JetStream errors), which is otherwise silenced. Off by
+	// default so production behavior is unchanged; only set it when debugging the
+	// cluster route layer.
+	debugLevel := os.Getenv("UNIBUS_NATS_DEBUG")
+	debugNATS := debugLevel == "1" || debugLevel == "2"
+	traceNATS := debugLevel == "2"
 	opts := &server.Options{
 		JetStream:  true,
 		StoreDir:   cfg.StoreDir,
@@ -143,17 +122,15 @@ func StartServer(cfg ServerConfig) (*server.Server, error) {
 		ServerName: cfg.ServerName,
 		DontListen: false,
 		// Keep the embedded server quiet by default; the host app logs the URLs.
-		NoLog:   noLog,
+		NoLog:   !debugNATS,
 		Debug:   debugNATS,
 		Trace:   traceNATS,
 		Logtime: true,
 		NoSigs:  true,
 	}
-	if monitorNATS {
-		// Expose the nats-server monitoring endpoint on LOOPBACK ONLY (never public):
-		// the operator (or a local metrics scraper) inspects /varz, /connz, /jsz,
-		// /routez. The 127.0.0.1 bind is mandatory because this endpoint has no auth;
-		// it must stay unreachable from the network.
+	if debugNATS {
+		// Expose the nats-server monitoring endpoint (loopback) so the operator can
+		// inspect /jsz, /routez, /varz while debugging the cluster meta-group.
 		opts.HTTPHost = "127.0.0.1"
 		opts.HTTPPort = 8222
 	}

pkg/embeddednats/monitor_test.go

@@ -1,134 +0,0 @@
-package embeddednats
-
-import (
-	"io"
-	"net"
-	"net/http"
-	"testing"
-	"time"
-)
-
-// TestNatsLogOptsDecoupled is the core regression guard for issue 0007: turning
-// on the monitoring endpoint must NEVER turn on the verbose nats-server debug log
-// (which would leak room subjects/routing metadata to journald). It also checks
-// the backward-compatible coupling (debug still implies monitoring) and the quiet
-// default.
-func TestNatsLogOptsDecoupled(t *testing.T) {
-	cases := []struct {
-		name                         string
-		debugEnv, monitorEnv         string
-		noLog, debug, trace, monitor bool
-	}{
-		{"default off — quiet, no monitor", "", "", true, false, false, false},
-		{"monitor only — endpoint on, log stays quiet", "", "1", true, false, false, true},
-		{"debug implies monitor", "1", "", false, true, false, true},
-		{"trace implies debug+monitor", "2", "", false, true, true, true},
-		{"both set", "1", "1", false, true, false, true},
-		{"monitor garbage value ignored", "", "yes", true, false, false, false},
-		{"debug garbage value ignored", "true", "", true, false, false, false},
-	}
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			noLog, debug, trace, monitor := natsLogOpts(c.debugEnv, c.monitorEnv)
-			if noLog != c.noLog || debug != c.debug || trace != c.trace || monitor != c.monitor {
-				t.Fatalf("natsLogOpts(%q,%q) = (noLog=%v debug=%v trace=%v monitor=%v), want (noLog=%v debug=%v trace=%v monitor=%v)",
-					c.debugEnv, c.monitorEnv, noLog, debug, trace, monitor,
-					c.noLog, c.debug, c.trace, c.monitor)
-			}
-		})
-	}
-
-	// Explicit golden assertion of the security property: monitor on, log off.
-	noLog, debug, _, monitor := natsLogOpts("", "1")
-	if !monitor {
-		t.Fatal("UNIBUS_NATS_MONITOR=1 must open the monitoring endpoint")
-	}
-	if debug || !noLog {
-		t.Fatalf("UNIBUS_NATS_MONITOR=1 must NOT enable the debug log (got debug=%v noLog=%v)", debug, noLog)
-	}
-}
-
-// TestMonitorEndpointLoopback boots a real embedded server with
-// UNIBUS_NATS_MONITOR=1 (and DEBUG explicitly off) and proves the monitoring HTTP
-// endpoint answers on loopback only — the exact contract the metrics scraper
-// relies on. The pure decoupling check above already guarantees the log stays out
-// of debug mode for this same env combination.
-func TestMonitorEndpointLoopback(t *testing.T) {
-	t.Setenv("UNIBUS_NATS_DEBUG", "")
-	t.Setenv("UNIBUS_NATS_MONITOR", "1")
-
-	ns, err := StartServer(ServerConfig{
-		StoreDir: t.TempDir(),
-		Host:     "127.0.0.1",
-		Port:     freeLoopbackPort(t),
-	})
-	if err != nil {
-		t.Fatalf("start server with monitoring: %v", err)
-	}
-	defer func() { ns.Shutdown(); ns.WaitForShutdown() }()
-
-	addr := ns.MonitorAddr()
-	if addr == nil {
-		t.Fatal("monitoring endpoint not open with UNIBUS_NATS_MONITOR=1 (MonitorAddr is nil)")
-	}
-	if !addr.IP.IsLoopback() {
-		t.Fatalf("monitoring endpoint bound to %s, must be loopback only", addr.IP)
-	}
-	if addr.Port != 8222 {
-		t.Fatalf("monitoring endpoint on port %d, want the fixed loopback port 8222", addr.Port)
-	}
-
-	// /varz must answer 200 with a non-empty body on loopback.
-	url := "http://" + addr.String() + "/varz"
-	var resp *http.Response
-	deadline := time.Now().Add(3 * time.Second)
-	for time.Now().Before(deadline) {
-		resp, err = http.Get(url) //nolint:gosec // loopback monitoring endpoint, no auth by design
-		if err == nil {
-			break
-		}
-		time.Sleep(50 * time.Millisecond)
-	}
-	if err != nil {
-		t.Fatalf("GET %s: %v", url, err)
-	}
-	defer resp.Body.Close()
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("GET %s -> %d, want 200", url, resp.StatusCode)
-	}
-	body, _ := io.ReadAll(resp.Body)
-	if len(body) == 0 {
-		t.Fatalf("GET %s returned an empty body", url)
-	}
-}
-
-// TestMonitorDisabledByDefault proves a server started without either toggle does
-// NOT open the monitoring endpoint, so production stays closed unless opted in.
-func TestMonitorDisabledByDefault(t *testing.T) {
-	t.Setenv("UNIBUS_NATS_DEBUG", "")
-	t.Setenv("UNIBUS_NATS_MONITOR", "")
-
-	ns, err := StartServer(ServerConfig{
-		StoreDir: t.TempDir(),
-		Host:     "127.0.0.1",
-		Port:     freeLoopbackPort(t),
-	})
-	if err != nil {
-		t.Fatalf("start server: %v", err)
-	}
-	defer func() { ns.Shutdown(); ns.WaitForShutdown() }()
-
-	if addr := ns.MonitorAddr(); addr != nil {
-		t.Fatalf("monitoring endpoint open (%s) without UNIBUS_NATS_MONITOR — must stay closed by default", addr)
-	}
-}
-
-func freeLoopbackPort(t *testing.T) int {
-	t.Helper()
-	l, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("free port: %v", err)
-	}
-	defer l.Close()
-	return l.Addr().(*net.TCPAddr).Port
-}

web/src/App.tsx

@@ -1,11 +1,44 @@
-import { useState } from "react";
+import { useEffect, useState } from "react";
+import { Center, Loader } from "@mantine/core";
 import { Login } from "./Login";
 import { ChatShell } from "./ChatShell";
+import { api } from "./api";
 import type { User } from "./types";
 
+// shortEndpoint hace legible el endpoint id del operador para mostrarlo como
+// handle por defecto cuando no se escribió uno en el login.
+function shortEndpoint(ep: string) {
+  return ep.slice(0, 8);
+}
+
 export function App() {
   const [user, setUser] = useState<User | null>(null);
+  const [checking, setChecking] = useState(true);
 
+  // Al montar, comprueba si ya hay una sesión viva en el gateway (cookie). Si la
+  // hay, entra directo; si no (401), muestra el login.
+  useEffect(() => {
+    api
+      .me()
+      .then((me) =>
+        setUser({ id: me.endpoint, handle: shortEndpoint(me.endpoint) }),
+      )
+      .catch(() => {})
+      .finally(() => setChecking(false));
+  }, []);
+
+  const logout = () => {
+    void api.logout().catch(() => {});
+    setUser(null);
+  };
+
+  if (checking) {
+    return (
+      <Center h="100vh" bg="dark.9">
+        <Loader color="brand" />
+      </Center>
+    );
+  }
   if (!user) return <Login onLogin={setUser} />;
-  return <ChatShell user={user} onLogout={() => setUser(null)} />;
+  return <ChatShell user={user} onLogout={logout} />;
 }

web/src/ChatPanel.tsx

@@ -19,7 +19,8 @@ import {
   IconDotsVertical,
   IconPaperclip,
 } from "@tabler/icons-react";
-import type { Message, Room, User } from "./types";
+import { api, streamRoom } from "./api";
+import type { Message, Room } from "./types";
 
 function initials(s: string) {
   return s.replace(/[^a-z0-9]/gi, "").slice(0, 2).toUpperCase() || "?";
@@ -54,22 +55,30 @@ function MessageRow({ msg }: { msg: Message }) {
   );
 }
 
-export function ChatPanel({
-  room,
-  user,
-}: {
-  room: Room | undefined;
-  user: User;
-}) {
+export function ChatPanel({ room }: { room: Room | undefined }) {
   const [draft, setDraft] = useState("");
-  const [extra, setExtra] = useState<Record<string, Message[]>>({});
+  const [messages, setMessages] = useState<Message[]>([]);
+  const [sendError, setSendError] = useState<string | null>(null);
   const viewport = useRef<HTMLDivElement>(null);
 
-  const msgs = room ? [...room.messages, ...(extra[room.id] ?? [])] : [];
+  // Abre el stream SSE de la room activa. El gateway entrega historia (rooms
+  // persistidas) y luego mensajes en vivo, ya descifrados. Dedup por id porque
+  // un re-render no debe duplicar y el eco del propio envío llega por aquí.
+  useEffect(() => {
+    setMessages([]);
+    setSendError(null);
+    if (!room) return;
+    const close = streamRoom(room.id, (m) => {
+      setMessages((prev) =>
+        prev.some((p) => p.id === m.id) ? prev : [...prev, m],
+      );
+    });
+    return close;
+  }, [room?.id]);
 
   useEffect(() => {
     viewport.current?.scrollTo({ top: viewport.current.scrollHeight });
-  }, [room?.id, msgs.length]);
+  }, [room?.id, messages.length]);
 
   if (!room) {
     return (
@@ -79,18 +88,19 @@ export function ChatPanel({
     );
   }
 
-  const send = () => {
+  const send = async () => {
     const body = draft.trim();
     if (!body) return;
-    const msg: Message = {
-      id: `local-${Date.now()}`,
-      sender: user.handle,
-      body,
-      ts: Date.now(),
-      mine: true,
-    };
-    setExtra((e) => ({ ...e, [room.id]: [...(e[room.id] ?? []), msg] }));
     setDraft("");
+    setSendError(null);
+    try {
+      // No optimista: el mensaje propio vuelve por SSE con su id real (mine:true),
+      // evitando duplicados.
+      await api.send(room.id, body);
+    } catch (e) {
+      setDraft(body); // restaura el borrador si el envío falló
+      setSendError(e instanceof Error ? e.message : "No se pudo enviar");
+    }
   };
 
   return (
@@ -126,13 +136,18 @@ export function ChatPanel({
 
       <ScrollArea style={{ flex: 1 }} viewportRef={viewport}>
         <Stack gap="lg" p="md">
-          {msgs.map((m) => (
+          {messages.map((m) => (
             <MessageRow key={m.id} msg={m} />
           ))}
         </Stack>
       </ScrollArea>
 
       <Divider color="dark.4" />
+      {sendError && (
+        <Text c="red" size="xs" px="sm" pt={4}>
+          {sendError}
+        </Text>
+      )}
       <Group p="sm" gap="xs" wrap="nowrap">
         <ActionIcon variant="subtle" color="gray" size="lg">
           <IconPaperclip size={18} />
@@ -143,14 +158,14 @@ export function ChatPanel({
           placeholder={`Mensaje a ${room.name}`}
           value={draft}
           onChange={(e) => setDraft(e.currentTarget.value)}
-          onKeyDown={(e) => e.key === "Enter" && send()}
+          onKeyDown={(e) => e.key === "Enter" && void send()}
         />
         <ActionIcon
           size="lg"
           radius="xl"
           variant="filled"
           color="brand"
-          onClick={send}
+          onClick={() => void send()}
           disabled={!draft.trim()}
         >
           <IconSend size={18} />

web/src/ChatShell.tsx

@@ -1,9 +1,9 @@
-import { useState } from "react";
-import { Flex, Box } from "@mantine/core";
+import { useCallback, useEffect, useState } from "react";
+import { Flex, Box, Center, Loader, Stack, Text, Button } from "@mantine/core";
 import { Sidebar } from "./Sidebar";
 import { ChatPanel } from "./ChatPanel";
-import { MOCK_ROOMS } from "./mock";
-import type { User } from "./types";
+import { api } from "./api";
+import type { Room, User } from "./types";
 
 export function ChatShell({
   user,
@@ -12,10 +12,59 @@ export function ChatShell({
   user: User;
   onLogout: () => void;
 }) {
-  const [rooms] = useState(MOCK_ROOMS);
-  const [activeId, setActiveId] = useState<string>(rooms[0]?.id ?? "");
+  const [rooms, setRooms] = useState<Room[]>([]);
+  const [activeId, setActiveId] = useState<string>("");
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  const load = useCallback(() => {
+    setLoading(true);
+    api
+      .listRooms()
+      .then((rs) => {
+        setRooms(rs);
+        setActiveId((cur) => cur || rs[0]?.id || "");
+        setError(null);
+      })
+      .catch((e) => setError(e?.message ?? "No se pudieron cargar las rooms"))
+      .finally(() => setLoading(false));
+  }, []);
+
+  useEffect(() => {
+    load();
+  }, [load]);
+
   const active = rooms.find((r) => r.id === activeId);
 
+  // El panel derecho muestra el estado de carga/error/empty sin tocar el layout.
+  let panel = <ChatPanel room={active} />;
+  if (loading && rooms.length === 0) {
+    panel = (
+      <Center h="100%">
+        <Loader color="brand" />
+      </Center>
+    );
+  } else if (error) {
+    panel = (
+      <Center h="100%">
+        <Stack align="center" gap="sm">
+          <Text c="red" size="sm">
+            {error}
+          </Text>
+          <Button variant="light" color="brand" onClick={load}>
+            Reintentar
+          </Button>
+        </Stack>
+      </Center>
+    );
+  } else if (rooms.length === 0) {
+    panel = (
+      <Center h="100%">
+        <Text c="dimmed">No perteneces a ninguna room todavía</Text>
+      </Center>
+    );
+  }
+
   return (
     <Flex h="100vh" w="100vw" style={{ overflow: "hidden" }}>
       <Box
@@ -36,7 +85,7 @@ export function ChatShell({
         />
       </Box>
       <Box flex={1} h="100%" bg="dark.7" style={{ minWidth: 0 }}>
-        <ChatPanel room={active} user={user} />
+        {panel}
       </Box>
     </Flex>
   );

web/src/Login.tsx

@@ -11,15 +11,29 @@ import {
   Title,
 } from "@mantine/core";
 import { IconShieldLock, IconKey } from "@tabler/icons-react";
+import { api, ApiError } from "./api";
 import type { User } from "./types";
 
 export function Login({ onLogin }: { onLogin: (u: User) => void }) {
   const [handle, setHandle] = useState("");
   const [password, setPassword] = useState("");
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState<string | null>(null);
   const ready = handle.trim().length > 0 && password.length > 0;
-  const connect = () => {
-    const h = handle.trim();
-    if (ready) onLogin({ id: h, handle: h });
+  const connect = async () => {
+    if (!ready || busy) return;
+    setBusy(true);
+    setError(null);
+    try {
+      // La contraseña desbloquea la sesión del gateway (passphrase del operador).
+      // El handle es solo el nombre a mostrar en esta iteración (wallet = fase 2).
+      const me = await api.login(password);
+      const h = handle.trim() || me.endpoint.slice(0, 8);
+      onLogin({ id: me.endpoint, handle: h });
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : "No se pudo conectar al gateway");
+      setBusy(false);
+    }
   };
 
   return (
@@ -52,9 +66,20 @@ export function Login({ onLogin }: { onLogin: (u: User) => void }) {
             leftSection={<IconKey size={16} />}
             value={password}
             onChange={(e) => setPassword(e.currentTarget.value)}
-            onKeyDown={(e) => e.key === "Enter" && connect()}
+            onKeyDown={(e) => e.key === "Enter" && void connect()}
           />
-          <Button w="100%" size="md" onClick={connect} disabled={!ready}>
+          {error && (
+            <Text c="red" size="sm" ta="center">
+              {error}
+            </Text>
+          )}
+          <Button
+            w="100%"
+            size="md"
+            onClick={() => void connect()}
+            disabled={!ready}
+            loading={busy}
+          >
             Conectar
           </Button>
         </Stack>

web/src/api.ts

@@ -0,0 +1,131 @@
+// La única capa por la que la SPA habla con el bus. Cada llamada va al gateway Go
+// bajo /api; el gateway mantiene la sesión `pkg/client` (peer autenticado del
+// bus), cifra/descifra por room y traduce a REST/SSE. El navegador nunca firma,
+// nunca habla NATS y nunca ve una clave privada: solo guarda una cookie de
+// sesión opaca (HttpOnly) que el gateway emite tras el login.
+import type { MeInfo, Message, MsgWire, Room, RoomWire } from "./types";
+
+export class ApiError extends Error {
+  status: number;
+  constructor(message: string, status: number) {
+    super(message);
+    this.status = status;
+  }
+}
+
+async function req<T>(path: string, init?: RequestInit): Promise<T> {
+  const res = await fetch(path, {
+    // same-origin envía la cookie de sesión automáticamente (también detrás del
+    // proxy de vite en dev).
+    credentials: "same-origin",
+    headers: { "Content-Type": "application/json" },
+    ...init,
+  });
+  const text = await res.text();
+  let body: unknown = null;
+  if (text) {
+    try {
+      body = JSON.parse(text);
+    } catch {
+      body = text;
+    }
+  }
+  if (!res.ok) {
+    const msg =
+      body && typeof body === "object" && "error" in body
+        ? String((body as { error: unknown }).error)
+        : `HTTP ${res.status}`;
+    throw new ApiError(msg, res.status);
+  }
+  return body as T;
+}
+
+// roomFromWire mapea la fila del gateway al tipo Room que consume la UI. Los
+// mensajes NO viven aquí: llegan por stream(). lastMessage/lastTs/unread se
+// rellenan de forma neutra para no inventar datos (la cabecera de la sidebar se
+// alimentará del stream en una iteración futura).
+export function roomFromWire(r: RoomWire): Room {
+  return {
+    id: r.id,
+    name: r.name || r.subject,
+    encrypted: r.encrypt,
+    lastMessage: "",
+    lastTs: 0,
+    unread: 0,
+    messages: [],
+  };
+}
+
+// messageFromWire mapea un frame descifrado del SSE al tipo Message de la UI.
+export function messageFromWire(m: MsgWire): Message {
+  return {
+    id: m.id,
+    sender: m.sender,
+    body: m.body,
+    ts: m.ts,
+    mine: m.mine,
+  };
+}
+
+export const api = {
+  // ---- sesión -------------------------------------------------------------
+  // login desbloquea la sesión del gateway con la passphrase del operador. El
+  // gateway responde con una cookie de sesión; me() comprueba si ya hay una.
+  login: (passphrase: string) =>
+    req<MeInfo>("/api/login", {
+      method: "POST",
+      body: JSON.stringify({ passphrase }),
+    }),
+  logout: () => req<{ status: string }>("/api/logout", { method: "POST" }),
+  me: () => req<MeInfo>("/api/me"),
+
+  // ---- rooms --------------------------------------------------------------
+  listRooms: async (): Promise<Room[]> => {
+    const wire = await req<RoomWire[]>("/api/rooms");
+    return wire.map(roomFromWire);
+  },
+  // createRoom: {subject, encrypted} basta — el gateway deriva la policy
+  // Matrix-like (cifrada + persistida + firmada) por defecto.
+  createRoom: async (subject: string, encrypted = true): Promise<Room> => {
+    const r = await req<RoomWire>("/api/rooms", {
+      method: "POST",
+      body: JSON.stringify({ subject, encrypted }),
+    });
+    return roomFromWire(r);
+  },
+  join: (roomID: string) =>
+    req<{ status: string }>(
+      `/api/rooms/${encodeURIComponent(roomID)}/join`,
+      { method: "POST" },
+    ),
+  send: (roomID: string, body: string) =>
+    req<{ status: string }>(
+      `/api/rooms/${encodeURIComponent(roomID)}/send`,
+      { method: "POST", body: JSON.stringify({ body }) },
+    ),
+};
+
+// streamRoom abre el SSE de una room y llama onMessage por cada frame descifrado
+// (historia primero en rooms persistidas, luego en vivo). Devuelve una función
+// de cierre. EventSource manda la cookie de sesión automáticamente y reconecta
+// solo si la conexión cae; onError se invoca en cada corte para que la UI pueda
+// reflejar el estado.
+export function streamRoom(
+  roomID: string,
+  onMessage: (m: Message) => void,
+  onError?: (e: Event) => void,
+): () => void {
+  const es = new EventSource(
+    `/api/rooms/${encodeURIComponent(roomID)}/stream`,
+  );
+  es.onmessage = (ev) => {
+    try {
+      const wire = JSON.parse(ev.data) as MsgWire;
+      onMessage(messageFromWire(wire));
+    } catch {
+      // frame malformado: se ignora, el stream sigue.
+    }
+  };
+  if (onError) es.onerror = onError;
+  return () => es.close();
+}

web/src/types.ts

@@ -1,5 +1,5 @@
-// Tipos de dominio de la UI. En la iteración 1 se llenan con datos mock;
-// más adelante vendrán del gateway (REST/SSE) que es un peer del bus.
+// Tipos de dominio de la UI. Los datos vienen del gateway Go (REST/SSE), que es
+// un peer autenticado del bus. El navegador nunca firma ni habla NATS.
 
 export interface User {
   id: string;
@@ -8,7 +8,7 @@ export interface User {
 
 export interface Message {
   id: string;
-  sender: string; // handle
+  sender: string; // endpoint id del remitente (handle legible es fase 2)
   body: string;
   ts: number; // epoch ms
   mine?: boolean;
@@ -23,3 +23,33 @@ export interface Room {
   unread: number;
   messages: Message[];
 }
+
+// ---- formas de la API del gateway (wire) ---------------------------------
+
+// MeInfo es la identidad del operador que el gateway encarna (GET /api/me).
+export interface MeInfo {
+  endpoint: string;
+  sign_pub: string;
+}
+
+// RoomWire es la fila de room que devuelve el gateway (GET /api/rooms). No trae
+// mensajes: estos llegan por SSE (GET /api/rooms/{id}/stream).
+export interface RoomWire {
+  id: string;
+  subject: string;
+  name: string;
+  epoch: number;
+  encrypt: boolean;
+  persist: boolean;
+  sign_msgs: boolean;
+  role: string;
+}
+
+// MsgWire es un mensaje ya descifrado que el gateway empuja por SSE.
+export interface MsgWire {
+  id: string;
+  sender: string;
+  body: string;
+  ts: number;
+  mine: boolean;
+}

web/vite.config.ts

@@ -3,5 +3,12 @@ import react from "@vitejs/plugin-react";
 
 export default defineConfig({
   plugins: [react()],
-  server: { host: true, port: 5181 },
+  // En dev, /api (REST + SSE) se proxea al gateway Go (cmd/webgw, puerto 8481).
+  // El proxy hace streaming, así que el SSE de /api/rooms/{id}/stream funciona a
+  // través de él. En producción el gateway sirve el dist embebido y no hay proxy.
+  server: {
+    host: true,
+    port: 5181,
+    proxy: { "/api": "http://127.0.0.1:8481" },
+  },
 });