feat(web): wire the SPA to the live bus via the gateway (drop mock)

Replace the mock data source with a real data layer that talks to the webgw
gateway over REST + SSE. The UI components keep their look and props; only
where the data comes from changed.

- src/api.ts: the single repository layer. fetch wrappers (same-origin cookie)
  for login/logout/me and rooms list/create/join/send, plus streamRoom() which
  opens an EventSource and yields each decrypted message. Wire->UI mappers
  (roomFromWire, messageFromWire).
- src/types.ts: add the gateway wire shapes (MeInfo, RoomWire, MsgWire) next to
  the existing UI types.
- App.tsx: probe /api/me on mount to resume an existing session; otherwise show
  Login. Logout calls the gateway.
- Login.tsx: the password field now unlocks the gateway session (operator
  passphrase); shows a basic error and a loading state. Wallet-per-browser is
  phase 2.
- ChatShell.tsx: load rooms from /api/rooms with loading / empty / error states;
  same Flex layout.
- ChatPanel.tsx: stream messages over SSE for the active room (dedup by id),
  composer sends through the gateway; no optimistic insert (the peer's own echo
  returns over SSE with the real frame id).
- vite.config.ts: dev proxy /api (REST + SSE) -> the gateway on :8481.

mock.ts is left untouched (no longer imported) to avoid churn with the parallel
styling work on master.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

cmd/webgw/gateway.go

@@ -0,0 +1,246 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"strings"
+	"sync"
+
+	cs "fn-registry/functions/cybersecurity"
+
+	"github.com/enmanuel/unibus/pkg/busauth"
+	"github.com/enmanuel/unibus/pkg/client"
+	"github.com/enmanuel/unibus/pkg/frame"
+	"github.com/enmanuel/unibus/pkg/room"
+)
+
+// gateway is the live web gateway: it owns the operator's identity and a single
+// connected unibus client, and turns the bus's crypto-bearing API into the plain
+// REST/SSE surface the browser consumes. The browser never signs, never speaks
+// NATS, and never sees a private key — the gateway is the legitimate room member
+// that seals/opens payloads on the browser's behalf.
+//
+// TRUST MODEL: content stays end-to-end encrypted on the wire. The gateway can
+// read plaintext because it acts AS the operator's client — a real member of
+// each room, holding the room key K like any peer. It is the same trust a native
+// desktop client has. In the wallet phase (per-browser WebCrypto identity) the
+// decryption can move into the browser; today, for the single-operator MVP, the
+// gateway decrypts server-side and pushes cleartext over a loopback/authenticated
+// SSE channel.
+type gateway struct {
+	id         cs.Identity
+	endpoint   string
+	cli        *client.Client
+	refreshACL bool // call RefreshSession after a membership change (needed under a per-subject ACL bus)
+
+	mu   sync.Mutex
+	hubs map[string]*roomHub // roomID -> live fan-out of decrypted frames to SSE clients
+}
+
+// gatewayConfig wires a live gateway.
+type gatewayConfig struct {
+	Identity cs.Identity
+	NatsURL  string
+	CtrlURL  string
+	CtrlURLs []string
+	NatsURLs []string
+	CAPath   string // bus CA; empty => plaintext dev connection (matches a loopback membershipd)
+}
+
+// newGateway connects the unibus client with the operator identity following the
+// same posture seam every peer uses: a non-empty CA path means TLS + nkey, empty
+// means plaintext dev. When a CA is configured the bus is assumed to enforce a
+// per-subject ACL, so membership changes trigger a session refresh.
+func newGateway(cfg gatewayConfig) (*gateway, error) {
+	opts := client.Options{
+		CtrlURLs:    cfg.CtrlURLs,
+		NatsServers: cfg.NatsURLs,
+	}
+	if cfg.CAPath != "" {
+		tlsCfg, err := busauth.LoadCATLSConfig(cfg.CAPath)
+		if err != nil {
+			return nil, fmt.Errorf("webgw: load bus CA %q: %w", cfg.CAPath, err)
+		}
+		opts.UseNkey = true
+		opts.TLS = tlsCfg
+		opts.CtrlTLS = tlsCfg
+	}
+	cli, err := client.NewWithOptions(cfg.NatsURL, cfg.CtrlURL, cfg.Identity, opts)
+	if err != nil {
+		return nil, fmt.Errorf("webgw: connect bus client: %w", err)
+	}
+	return &gateway{
+		id:         cfg.Identity,
+		endpoint:   frame.EndpointID(cfg.Identity.SignPub),
+		cli:        cli,
+		refreshACL: cfg.CAPath != "",
+		hubs:       map[string]*roomHub{},
+	}, nil
+}
+
+// Close stops every hub and releases the bus client connection.
+func (g *gateway) Close() error {
+	g.mu.Lock()
+	for _, h := range g.hubs {
+		h.stop()
+	}
+	g.hubs = map[string]*roomHub{}
+	g.mu.Unlock()
+	if g.cli != nil {
+		return g.cli.Close()
+	}
+	return nil
+}
+
+// ---- wire types (browser-facing JSON) ------------------------------------
+
+// meInfo is what GET /api/me returns: the operator identity the gateway acts as.
+type meInfo struct {
+	Endpoint string `json:"endpoint"`
+	SignPub  string `json:"sign_pub"`
+}
+
+// roomWire is the browser view of a room. It deliberately omits messages: those
+// stream over SSE (GET /api/rooms/{id}/stream), not in the room list.
+type roomWire struct {
+	ID       string `json:"id"`
+	Subject  string `json:"subject"`
+	Name     string `json:"name"`
+	Epoch    int    `json:"epoch"`
+	Encrypt  bool   `json:"encrypt"`
+	Persist  bool   `json:"persist"`
+	SignMsgs bool   `json:"sign_msgs"`
+	Role     string `json:"role"`
+}
+
+// createRoomReq is the POST /api/rooms body. Encrypt/Persist/SignMsgs are
+// pointers so an omitted field falls back to the chat default rather than to the
+// Go zero value (false). The common case — the browser sending only {subject,
+// encrypted} — maps encrypted onto all three (the Matrix-like chat policy).
+type createRoomReq struct {
+	Subject   string `json:"subject"`
+	Encrypted *bool  `json:"encrypted,omitempty"`
+	Encrypt   *bool  `json:"encrypt,omitempty"`
+	Persist   *bool  `json:"persist,omitempty"`
+	SignMsgs  *bool  `json:"sign_msgs,omitempty"`
+}
+
+// policy resolves the requested policy. A bare {subject} defaults to the
+// Matrix-like chat room (encrypted + persisted + signed) so a created room keeps
+// durable, end-to-end-encrypted, authored history. Callers can override any leg.
+func (r createRoomReq) policy() room.Policy {
+	enc, per, sig := true, true, true
+	if r.Encrypted != nil {
+		enc, per, sig = *r.Encrypted, *r.Encrypted, *r.Encrypted
+	}
+	if r.Encrypt != nil {
+		enc = *r.Encrypt
+	}
+	if r.Persist != nil {
+		per = *r.Persist
+	}
+	if r.SignMsgs != nil {
+		sig = *r.SignMsgs
+	}
+	return room.Policy{Encrypt: enc, Persist: per, SignMsgs: sig}
+}
+
+// sendReq is the POST /api/rooms/{id}/send body.
+type sendReq struct {
+	Body string `json:"body"`
+}
+
+// msgWire is one decrypted message pushed over SSE.
+type msgWire struct {
+	ID     string `json:"id"`
+	Sender string `json:"sender"`
+	Body   string `json:"body"`
+	TS     int64  `json:"ts"` // epoch ms (decoded from the frame's ULID id)
+	Mine   bool   `json:"mine"`
+}
+
+// ---- operations -----------------------------------------------------------
+
+func (g *gateway) me() meInfo {
+	return meInfo{Endpoint: g.endpoint, SignPub: hex.EncodeToString(g.id.SignPub)}
+}
+
+// subjectName derives a short, human-friendly room name from its bus subject by
+// dropping the leading namespace segment (room., test., proc., agent.). It is a
+// display nicety only; the canonical identity stays the subject/room id.
+func subjectName(subject string) string {
+	for _, p := range []string{"room.", "test.", "proc.", "agent.", "rpc."} {
+		if strings.HasPrefix(subject, p) {
+			return strings.TrimPrefix(subject, p)
+		}
+	}
+	return subject
+}
+
+func (g *gateway) listRooms() ([]roomWire, error) {
+	rooms, err := g.cli.ListMyRooms()
+	if err != nil {
+		return nil, err
+	}
+	out := make([]roomWire, 0, len(rooms))
+	for _, rm := range rooms {
+		out = append(out, roomWire{
+			ID:       rm.RoomID,
+			Subject:  rm.Subject,
+			Name:     subjectName(rm.Subject),
+			Epoch:    rm.Epoch,
+			Encrypt:  rm.Policy.Encrypt,
+			Persist:  rm.Policy.Persist,
+			SignMsgs: rm.Policy.SignMsgs,
+			Role:     rm.Role,
+		})
+	}
+	return out, nil
+}
+
+func (g *gateway) createRoom(req createRoomReq) (roomWire, error) {
+	subject := strings.TrimSpace(req.Subject)
+	if subject == "" {
+		return roomWire{}, fmt.Errorf("webgw: subject required")
+	}
+	p := req.policy()
+	roomID, err := g.cli.CreateRoom(subject, p)
+	if err != nil {
+		return roomWire{}, err
+	}
+	// Under a per-subject ACL the operator's frozen NATS permissions do not yet
+	// cover the new room's subject; refresh so subsequent data-plane use works. On
+	// a plaintext/non-ACL dev bus this is unnecessary and would needlessly drop any
+	// live SSE subscriptions, so it is gated on the secured posture.
+	if g.refreshACL {
+		_ = g.cli.RefreshSession()
+	}
+	return roomWire{
+		ID:       roomID,
+		Subject:  subject,
+		Name:     subjectName(subject),
+		Epoch:    1,
+		Encrypt:  p.Encrypt,
+		Persist:  p.Persist,
+		SignMsgs: p.SignMsgs,
+		Role:     "owner",
+	}, nil
+}
+
+// join resolves room metadata and (for encrypted rooms) fetches the room key so
+// the gateway can later open payloads. Idempotent.
+func (g *gateway) join(roomID string) error {
+	if err := g.cli.Join(roomID); err != nil {
+		return err
+	}
+	if g.refreshACL {
+		_ = g.cli.RefreshSession()
+	}
+	return nil
+}
+
+// send publishes plaintext to a room. The unibus client seals it with the room
+// key (encrypted rooms) and signs it (signed rooms) before it leaves the process.
+func (g *gateway) send(roomID, body string) error {
+	return g.cli.Publish(roomID, []byte(body))
+}

cmd/webgw/hub.go

@@ -0,0 +1,140 @@
+package main
+
+import (
+	"sync"
+
+	"github.com/enmanuel/unibus/pkg/client"
+	"github.com/enmanuel/unibus/pkg/frame"
+	"github.com/oklog/ulid/v2"
+)
+
+// roomHub multiplexes ONE unibus room subscription to MANY SSE clients. The
+// unibus client derives a per-(room, endpoint) durable consumer name, so a
+// second Subscribe for the same room from the same operator would contend for
+// the same durable (load-balanced delivery) rather than each browser receiving
+// every message. The hub holds a single subscription per room and fans each
+// decrypted frame out to every connected browser, which also means the gateway
+// opens at most one bus subscription per room regardless of how many tabs watch
+// it.
+type roomHub struct {
+	roomID     string
+	myEndpoint string
+	sub        *client.Sub
+
+	mu      sync.Mutex
+	clients map[chan msgWire]struct{}
+}
+
+// frameTS decodes the millisecond timestamp embedded in a frame's ULID id. A
+// malformed id (should not happen for bus-produced frames) yields 0, which the
+// browser renders without crashing.
+func frameTS(msgID string) int64 {
+	id, err := ulid.Parse(msgID)
+	if err != nil {
+		return 0
+	}
+	return int64(id.Time())
+}
+
+// newRoomHub opens the single bus subscription for roomID and starts fanning
+// decrypted frames out to registered clients. The room must already be joined
+// (so the gateway holds the room key) before this is called.
+func newRoomHub(cli *client.Client, roomID, myEndpoint string) (*roomHub, error) {
+	h := &roomHub{
+		roomID:     roomID,
+		myEndpoint: myEndpoint,
+		clients:    map[chan msgWire]struct{}{},
+	}
+	sub, err := cli.Subscribe(roomID, func(f frame.Frame, plaintext []byte) {
+		m := msgWire{
+			ID:     f.MsgID,
+			Sender: f.Sender,
+			Body:   string(plaintext),
+			TS:     frameTS(f.MsgID),
+			Mine:   f.Sender == myEndpoint,
+		}
+		h.broadcast(m)
+	})
+	if err != nil {
+		return nil, err
+	}
+	h.sub = sub
+	return h, nil
+}
+
+// broadcast delivers a message to every registered client without blocking the
+// NATS delivery goroutine: a client whose buffer is full (a stalled browser)
+// drops this frame rather than stalling the whole room.
+func (h *roomHub) broadcast(m msgWire) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	for ch := range h.clients {
+		select {
+		case ch <- m:
+		default:
+		}
+	}
+}
+
+// add registers a new SSE client channel.
+func (h *roomHub) add(ch chan msgWire) {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	h.clients[ch] = struct{}{}
+}
+
+// stop unsubscribes from the bus. Local delivery ends; for a persisted room the
+// durable consumer's ack position stays on the server, so a later subscription
+// with the same operator resumes from where it left off.
+func (h *roomHub) stop() {
+	if h.sub != nil {
+		_ = h.sub.Unsubscribe()
+	}
+}
+
+// openStream joins the room (idempotent; fetches the room key for encrypted
+// rooms), attaches an SSE client to the room's hub (creating it on first watcher),
+// and returns the client's message channel plus a cleanup func. The cleanup
+// detaches the client and, when it was the last watcher, tears down the room's
+// single bus subscription.
+func (g *gateway) openStream(roomID string) (chan msgWire, func(), error) {
+	if err := g.join(roomID); err != nil {
+		return nil, nil, err
+	}
+	g.mu.Lock()
+	h := g.hubs[roomID]
+	if h == nil {
+		var err error
+		h, err = newRoomHub(g.cli, roomID, g.endpoint)
+		if err != nil {
+			g.mu.Unlock()
+			return nil, nil, err
+		}
+		g.hubs[roomID] = h
+	}
+	g.mu.Unlock()
+
+	// Buffer so a brief render hitch in the browser does not drop live frames; a
+	// sustained stall still drops (broadcast is non-blocking) rather than wedging
+	// the room.
+	ch := make(chan msgWire, 64)
+	h.add(ch)
+
+	// cleanup takes g.mu before h.mu (the single, consistent lock order) so a
+	// concurrent openStream that re-creates the hub cannot race the teardown.
+	cleanup := func() {
+		g.mu.Lock()
+		defer g.mu.Unlock()
+		h.mu.Lock()
+		delete(h.clients, ch)
+		empty := len(h.clients) == 0
+		h.mu.Unlock()
+		if empty {
+			if cur := g.hubs[roomID]; cur == h {
+				delete(g.hubs, roomID)
+				h.stop()
+			}
+		}
+	}
+	return ch, cleanup, nil
+}

cmd/webgw/identity.go

@@ -0,0 +1,98 @@
+package main
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+
+	cs "fn-registry/functions/cybersecurity"
+)
+
+// identityJSON mirrors the on-disk / pass-stored identity format shared across
+// the unibus tooling: the four keypair halves, each std-base64. It is the SAME
+// shape the bus client persists (pkg/client identity file) and the operator's
+// `pass` entry unibus/operator-identity, so the web gateway loads the operator's
+// identity without a divergent serialization. Kept in lockstep with
+// unibus_admin/internal/admin/identity.go.
+type identityJSON struct {
+	SignPub  string `json:"sign_pub"`
+	SignPriv string `json:"sign_priv"`
+	KexPub   string `json:"kex_pub"`
+	KexPriv  string `json:"kex_priv"`
+}
+
+// decodeIdentity turns the JSON identity bytes into a cs.Identity. The private
+// halves stay only in memory; this never writes them anywhere.
+func decodeIdentity(raw []byte) (cs.Identity, error) {
+	var f identityJSON
+	if err := json.Unmarshal(raw, &f); err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: parse identity json: %w", err)
+	}
+	dec := base64.StdEncoding.DecodeString
+	signPub, err := dec(f.SignPub)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode sign_pub: %w", err)
+	}
+	signPriv, err := dec(f.SignPriv)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode sign_priv: %w", err)
+	}
+	kexPub, err := dec(f.KexPub)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode kex_pub: %w", err)
+	}
+	kexPriv, err := dec(f.KexPriv)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: decode kex_priv: %w", err)
+	}
+	if len(signPub) != 32 || len(signPriv) != 64 || len(kexPub) != 32 || len(kexPriv) != 32 {
+		return cs.Identity{}, fmt.Errorf("webgw: identity has wrong key sizes (sign_pub=%d sign_priv=%d kex_pub=%d kex_priv=%d)",
+			len(signPub), len(signPriv), len(kexPub), len(kexPriv))
+	}
+	return cs.Identity{SignPub: signPub, SignPriv: signPriv, KexPub: kexPub, KexPriv: kexPriv}, nil
+}
+
+// loadIdentityFromFile reads a 0600 identity JSON file (the same format the bus
+// client writes) and decodes it. Used on a deploy host where `pass` is not
+// available and the operator identity is delivered as a protected file.
+func loadIdentityFromFile(path string) (cs.Identity, error) {
+	raw, err := os.ReadFile(path)
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: read identity file %q: %w", path, err)
+	}
+	return decodeIdentity(raw)
+}
+
+// loadIdentityFromPass shells out to `pass show <entry>` and decodes the JSON
+// identity it returns. The secret is held only in memory; this process never
+// writes it to disk or argv. Used in local operator workflows where the GNU
+// password store holds unibus/operator-identity.
+func loadIdentityFromPass(entry string) (cs.Identity, error) {
+	out, err := exec.Command("pass", "show", entry).Output()
+	if err != nil {
+		return cs.Identity{}, fmt.Errorf("webgw: pass show %q: %w", entry, err)
+	}
+	return decodeIdentity(out)
+}
+
+// loadPassValue returns the first line of a `pass show <entry>` for non-identity
+// secrets (e.g. the unlock passphrase). Empty entry yields an empty string and
+// no error, so callers can treat "no pass entry configured" as "not set".
+func loadPassValue(entry string) (string, error) {
+	if entry == "" {
+		return "", nil
+	}
+	out, err := exec.Command("pass", "show", entry).Output()
+	if err != nil {
+		return "", fmt.Errorf("webgw: pass show %q: %w", entry, err)
+	}
+	s := string(out)
+	for i := 0; i < len(s); i++ {
+		if s[i] == '\n' || s[i] == '\r' {
+			return s[:i], nil
+		}
+	}
+	return s, nil
+}

cmd/webgw/main.go

@@ -0,0 +1,180 @@
+// Command webgw is the web gateway for the unibus chat SPA. It is a single Go
+// binary that holds the operator's bus identity, connects to the bus as a real
+// authenticated peer (pkg/client), and exposes a small REST + SSE API the
+// browser consumes. The browser never signs, never speaks NATS, and never sees a
+// private key: it authenticates to the gateway with a passphrase and thereafter
+// holds only an opaque session cookie.
+//
+// TRUST MODEL (MVP, single operator): room content stays end-to-end encrypted on
+// the bus. The gateway can read plaintext because it acts AS the operator's
+// client — a legitimate member of each room holding the room key. Decryption
+// happens server-side in this process; cleartext then crosses an authenticated
+// (loopback or TLS-fronted) SSE channel to the browser. The wallet phase (issue:
+// per-browser WebCrypto identity) can move decryption into the browser; see the
+// report for the FASE 2 plan.
+//
+//	# local dev against a loopback membershipd (plaintext), operator from pass:
+//	webgw --identity-pass unibus/operator-identity \
+//	  --ctrl-url http://127.0.0.1:8470 --nats-url nats://127.0.0.1:4250
+//
+//	# secured cluster (TLS + nkey on both planes), identity from a 0600 file:
+//	webgw --ca ca.crt --identity-file operator.id \
+//	  --ctrl-url https://node-a:8470 --nats-url nats://node-a:4250 \
+//	  --ctrl-urls https://node-b:8470,https://node-c:8470 \
+//	  --nats-urls nats://node-b:4250,nats://node-c:4250
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+	"syscall"
+	"time"
+
+	cs "fn-registry/functions/cybersecurity"
+)
+
+func main() {
+	var (
+		bind         = flag.String("bind", "127.0.0.1", "interface to bind the gateway HTTP server to (loopback by default)")
+		port         = flag.String("port", "8481", "gateway HTTP port")
+		ctrlURL      = flag.String("ctrl-url", "http://127.0.0.1:8470", "primary unibus control-plane base URL")
+		ctrlURLs     = flag.String("ctrl-urls", "", "comma-separated ADDITIONAL control-plane base URLs (cluster failover)")
+		natsURL      = flag.String("nats-url", "nats://127.0.0.1:4250", "primary NATS URL")
+		natsURLs     = flag.String("nats-urls", "", "comma-separated ADDITIONAL NATS seed URLs (cluster failover)")
+		caPath       = flag.String("ca", "", "bus CA cert path; set to talk TLS+nkey to a secured bus (empty = plaintext dev)")
+		identityFile = flag.String("identity-file", "", "path to the operator identity JSON file (0600). Mutually exclusive with --identity-pass")
+		identityPass = flag.String("identity-pass", "", "pass(1) entry holding the operator identity JSON, e.g. unibus/operator-identity")
+		unlockPass   = flag.String("unlock-pass", "", "literal passphrase the browser must send to unlock a session (dev). Prefer --unlock-pass-entry")
+		unlockEntry  = flag.String("unlock-pass-entry", "unibus/admin-panel-password", "pass(1) entry holding the unlock passphrase (used when --unlock-pass is empty)")
+		webDir       = flag.String("web-dir", "", "OPTIONAL path to the built SPA (web/dist) to serve. Empty = API only (use vite dev server)")
+	)
+	flag.Parse()
+
+	log.SetFlags(log.LstdFlags | log.Lmsgprefix)
+	log.SetPrefix("[webgw] ")
+
+	id, err := loadIdentity(*identityFile, *identityPass)
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+
+	unlock := *unlockPass
+	if unlock == "" {
+		unlock, err = loadPassValue(*unlockEntry)
+		if err != nil {
+			log.Fatalf("resolve unlock passphrase: %v", err)
+		}
+	}
+	if unlock == "" {
+		log.Fatalf("an unlock passphrase is required: set --unlock-pass or a non-empty --unlock-pass-entry (default unibus/admin-panel-password)")
+	}
+
+	resolvedWebDir := resolveWebDir(*webDir)
+
+	gw, err := newGateway(gatewayConfig{
+		Identity: id,
+		NatsURL:  *natsURL,
+		CtrlURL:  *ctrlURL,
+		CtrlURLs: splitCSV(*ctrlURLs),
+		NatsURLs: splitCSV(*natsURLs),
+		CAPath:   *caPath,
+	})
+	if err != nil {
+		log.Fatalf("%v", err)
+	}
+	defer gw.Close()
+
+	log.Printf("operator endpoint: %s", gw.endpoint)
+	log.Printf("control plane: %s (+%d failover)", *ctrlURL, len(splitCSV(*ctrlURLs)))
+	tls := "OFF (plaintext dev)"
+	if *caPath != "" {
+		tls = "ON (CA " + *caPath + ")"
+	}
+	log.Printf("bus TLS+nkey: %s", tls)
+	if resolvedWebDir != "" {
+		log.Printf("serving SPA from: %s", resolvedWebDir)
+	} else {
+		log.Printf("API only (no --web-dir): use the vite dev server with a /api+stream proxy")
+	}
+
+	srv := newServer(gw, unlock, resolvedWebDir)
+	addr := *bind + ":" + *port
+	httpSrv := &http.Server{
+		Addr:    addr,
+		Handler: srv,
+		// No global write timeout: SSE streams are long-lived. Header timeout still
+		// bounds slowloris on the request line/headers.
+		ReadHeaderTimeout: 10 * time.Second,
+	}
+
+	go func() {
+		log.Printf("web gateway: http://%s", addr)
+		if err := httpSrv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Fatalf("http server: %v", err)
+		}
+	}()
+
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, syscall.SIGINT, syscall.SIGTERM)
+	<-stop
+	log.Printf("shutting down...")
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	_ = httpSrv.Shutdown(ctx)
+	log.Printf("bye")
+}
+
+// loadIdentity resolves the operator identity from exactly one of --identity-file
+// or --identity-pass.
+func loadIdentity(file, passEntry string) (cs.Identity, error) {
+	switch {
+	case file != "" && passEntry != "":
+		return cs.Identity{}, errFlag("set only one of --identity-file or --identity-pass")
+	case file != "":
+		return loadIdentityFromFile(file)
+	case passEntry != "":
+		return loadIdentityFromPass(passEntry)
+	default:
+		return cs.Identity{}, errFlag("an identity is required: pass --identity-file <path> or --identity-pass <entry>")
+	}
+}
+
+// resolveWebDir validates the --web-dir flag. An empty flag means API-only. A
+// non-empty dir is kept only if it actually holds an index.html, so a typo logs
+// "API only" rather than serving 404s.
+func resolveWebDir(dir string) string {
+	if dir == "" {
+		return ""
+	}
+	abs, err := filepath.Abs(dir)
+	if err != nil {
+		log.Printf("WARN --web-dir %q: %v; serving API only", dir, err)
+		return ""
+	}
+	if !statFile(filepath.Join(abs, "index.html")) {
+		log.Printf("WARN --web-dir %q has no index.html; serving API only", abs)
+		return ""
+	}
+	return abs
+}
+
+type flagErr string
+
+func (e flagErr) Error() string { return string(e) }
+func errFlag(s string) error    { return flagErr("webgw: " + s) }
+
+func splitCSV(s string) []string {
+	var out []string
+	for _, p := range strings.Split(s, ",") {
+		if p = strings.TrimSpace(p); p != "" {
+			out = append(out, p)
+		}
+	}
+	return out
+}

cmd/webgw/server.go

@@ -0,0 +1,301 @@
+package main
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/hex"
+	"encoding/json"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+// sessionCookie is the name of the gateway's session cookie. The browser sends
+// it automatically on same-origin fetches AND on EventSource (SSE) connections —
+// EventSource cannot set custom headers, so a cookie is the only way to
+// authenticate the stream. It is HttpOnly so page JS can never read the token.
+const sessionCookie = "unibus_session"
+
+// server is the gateway's HTTP surface: a small REST/SSE API under /api gated by
+// a session cookie, plus an optional static file server for the built SPA. The
+// gateway's privileged operator identity never leaves the process; the browser
+// authenticates with a passphrase and thereafter holds only an opaque session
+// token.
+type server struct {
+	gw     *gateway
+	unlock string // passphrase that unlocks a session (compared in constant time)
+	webDir string // optional path to the built SPA (web/dist); empty = API only
+	mux    *http.ServeMux
+
+	mu       sync.Mutex
+	sessions map[string]time.Time // token -> issued-at
+}
+
+func newServer(gw *gateway, unlock, webDir string) *server {
+	s := &server{
+		gw:       gw,
+		unlock:   unlock,
+		webDir:   webDir,
+		mux:      http.NewServeMux(),
+		sessions: map[string]time.Time{},
+	}
+	s.routes()
+	return s
+}
+
+func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) { s.mux.ServeHTTP(w, r) }
+
+func (s *server) routes() {
+	// Liveness, unauthenticated (systemd / deploy smoke).
+	s.mux.HandleFunc("GET /healthz", func(w http.ResponseWriter, _ *http.Request) {
+		writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+	})
+
+	// Auth: login is the only /api route reachable without a session.
+	s.mux.HandleFunc("POST /api/login", s.handleLogin)
+	s.mux.HandleFunc("POST /api/logout", s.auth(s.handleLogout))
+	s.mux.HandleFunc("GET /api/me", s.auth(s.handleMe))
+
+	s.mux.HandleFunc("GET /api/rooms", s.auth(s.handleListRooms))
+	s.mux.HandleFunc("POST /api/rooms", s.auth(s.handleCreateRoom))
+	s.mux.HandleFunc("POST /api/rooms/{id}/join", s.auth(s.handleJoin))
+	s.mux.HandleFunc("POST /api/rooms/{id}/send", s.auth(s.handleSend))
+	s.mux.HandleFunc("GET /api/rooms/{id}/stream", s.auth(s.handleStream))
+
+	// Everything else is the SPA (when --web-dir is set). Registered last.
+	if s.webDir != "" {
+		s.mux.Handle("/", s.spaHandler())
+	}
+}
+
+// ---- auth -----------------------------------------------------------------
+
+// auth wraps a handler so it runs only with a valid session cookie. A missing or
+// unknown token yields 401, which the SPA treats as "show the login screen".
+func (s *server) auth(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		c, err := r.Cookie(sessionCookie)
+		if err != nil || !s.validSession(c.Value) {
+			writeErr(w, http.StatusUnauthorized, "not authenticated")
+			return
+		}
+		next(w, r)
+	}
+}
+
+func (s *server) validSession(token string) bool {
+	if token == "" {
+		return false
+	}
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	_, ok := s.sessions[token]
+	return ok
+}
+
+func (s *server) handleLogin(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		Passphrase string `json:"passphrase"`
+	}
+	if !decode(w, r, &req) {
+		return
+	}
+	// Constant-time compare so a wrong passphrase cannot be timed character by
+	// character. An empty configured passphrase never matches (main refuses to
+	// start without one, so this is defense in depth).
+	if s.unlock == "" || subtle.ConstantTimeCompare([]byte(req.Passphrase), []byte(s.unlock)) != 1 {
+		writeErr(w, http.StatusUnauthorized, "wrong passphrase")
+		return
+	}
+	tok := newToken()
+	s.mu.Lock()
+	s.sessions[tok] = time.Now()
+	s.mu.Unlock()
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     sessionCookie,
+		Value:    tok,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	writeJSON(w, http.StatusOK, s.gw.me())
+}
+
+func (s *server) handleLogout(w http.ResponseWriter, r *http.Request) {
+	if c, err := r.Cookie(sessionCookie); err == nil {
+		s.mu.Lock()
+		delete(s.sessions, c.Value)
+		s.mu.Unlock()
+	}
+	http.SetCookie(w, &http.Cookie{Name: sessionCookie, Value: "", Path: "/", MaxAge: -1, HttpOnly: true})
+	writeJSON(w, http.StatusOK, map[string]string{"status": "logged_out"})
+}
+
+func (s *server) handleMe(w http.ResponseWriter, _ *http.Request) {
+	writeJSON(w, http.StatusOK, s.gw.me())
+}
+
+// ---- rooms ----------------------------------------------------------------
+
+func (s *server) handleListRooms(w http.ResponseWriter, _ *http.Request) {
+	rooms, err := s.gw.listRooms()
+	if err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, rooms)
+}
+
+func (s *server) handleCreateRoom(w http.ResponseWriter, r *http.Request) {
+	var req createRoomReq
+	if !decode(w, r, &req) {
+		return
+	}
+	rv, err := s.gw.createRoom(req)
+	if err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusCreated, rv)
+}
+
+func (s *server) handleJoin(w http.ResponseWriter, r *http.Request) {
+	if err := s.gw.join(r.PathValue("id")); err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "joined"})
+}
+
+func (s *server) handleSend(w http.ResponseWriter, r *http.Request) {
+	var req sendReq
+	if !decode(w, r, &req) {
+		return
+	}
+	if strings.TrimSpace(req.Body) == "" {
+		writeErr(w, http.StatusBadRequest, "body required")
+		return
+	}
+	if err := s.gw.send(r.PathValue("id"), req.Body); err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "sent"})
+}
+
+// handleStream is the SSE endpoint: it joins the room, attaches to the room's
+// fan-out hub, and streams each decrypted message as a `data:` event. For a
+// persisted room the hub's underlying subscription delivers history first
+// (scrollback) and then live messages; for an ephemeral room only live messages
+// flow. The stream ends when the browser disconnects (ctx cancelled).
+func (s *server) handleStream(w http.ResponseWriter, r *http.Request) {
+	flusher, ok := w.(http.Flusher)
+	if !ok {
+		writeErr(w, http.StatusInternalServerError, "streaming unsupported")
+		return
+	}
+	ch, cleanup, err := s.gw.openStream(r.PathValue("id"))
+	if err != nil {
+		writeErr(w, http.StatusBadGateway, err.Error())
+		return
+	}
+	defer cleanup()
+
+	w.Header().Set("Content-Type", "text/event-stream")
+	w.Header().Set("Cache-Control", "no-cache")
+	w.Header().Set("Connection", "keep-alive")
+	w.Header().Set("X-Accel-Buffering", "no") // disable proxy buffering (nginx/caddy)
+	w.WriteHeader(http.StatusOK)
+	// An initial comment opens the stream immediately so the browser's
+	// EventSource fires `onopen` without waiting for the first message.
+	_, _ = w.Write([]byte(": connected\n\n"))
+	flusher.Flush()
+
+	ctx := r.Context()
+	ping := time.NewTicker(25 * time.Second)
+	defer ping.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ping.C:
+			// Comment line keeps idle proxies from closing the connection.
+			if _, err := w.Write([]byte(": ping\n\n")); err != nil {
+				return
+			}
+			flusher.Flush()
+		case m := <-ch:
+			b, err := json.Marshal(m)
+			if err != nil {
+				continue
+			}
+			if _, err := w.Write([]byte("data: " + string(b) + "\n\n")); err != nil {
+				return
+			}
+			flusher.Flush()
+		}
+	}
+}
+
+// ---- SPA serving (optional) -----------------------------------------------
+
+// spaHandler serves the built SPA from s.webDir. A request for an existing asset
+// is served directly; any other path (a client-side route) falls back to
+// index.html so the SPA router can take over. /api and /healthz are matched first.
+func (s *server) spaHandler() http.Handler {
+	root := http.Dir(s.webDir)
+	fileServer := http.FileServer(root)
+	index := filepath.Join(s.webDir, "index.html")
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		p := strings.TrimPrefix(r.URL.Path, "/")
+		if p == "" {
+			http.ServeFile(w, r, index)
+			return
+		}
+		if f, err := root.Open(p); err == nil {
+			_ = f.Close()
+			fileServer.ServeHTTP(w, r)
+			return
+		}
+		http.ServeFile(w, r, index) // unknown path -> SPA client-side routing
+	})
+}
+
+// ---- helpers --------------------------------------------------------------
+
+func newToken() string {
+	b := make([]byte, 32)
+	_, _ = rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+func writeJSON(w http.ResponseWriter, code int, v any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(code)
+	_ = json.NewEncoder(w).Encode(v)
+}
+
+func writeErr(w http.ResponseWriter, code int, msg string) {
+	writeJSON(w, code, map[string]string{"error": msg})
+}
+
+// decode reads a JSON body into v, writing a 400 and returning false on failure.
+func decode(w http.ResponseWriter, r *http.Request, v any) bool {
+	defer r.Body.Close()
+	if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 1<<20)).Decode(v); err != nil {
+		writeErr(w, http.StatusBadRequest, "bad json: "+err.Error())
+		return false
+	}
+	return true
+}
+
+// statFile reports whether path exists and is a regular file (used to validate
+// --web-dir at startup so a typo surfaces as a clear log line, not 404s later).
+func statFile(path string) bool {
+	fi, err := os.Stat(path)
+	return err == nil && !fi.IsDir()
+}

dev/issues/0007-jetstream-encryption-at-rest.md

@@ -0,0 +1,78 @@
+---
+issue: 0007
+title: Cifrado at-rest del control plane (JetStream KV / SQLite en disco)
+status: spec
+created: 2026-06-07
+domain: security
+scope: unibus (pkg/embeddednats, cmd/membershipd, deploy/cluster) + procedimiento de migración del store existente
+---
+
+# Objetivo
+
+Cifrar en reposo el almacenamiento del plano de control para que un nodo comprometido
+(root en el VPS) o un disco robado no exponga los metadatos de control en claro.
+
+Estado actual (auditado el 07/06/2026, report 0012 y siguientes):
+
+- **Contenido de los mensajes**: cifrado E2E por room (megolm/olm). El servidor nunca ve el
+  plaintext; no vive en el plano de control. **No es el objeto de este issue.**
+- **Claves de room** (`UNIBUS_room_keys`): guardadas **selladas** (sealed box X25519, cifradas
+  para cada miembro). El servidor las almacena y reparte pero no puede abrirlas. **Ya protegidas.**
+- **Metadatos de control** (`UNIBUS_rooms`, `UNIBUS_members`, `UNIBUS_rooms_by_member`,
+  `UNIBUS_users`): se serializan con `json.Marshal` y se escriben **en claro** en el store. En
+  cluster ese store es el directorio `local_files/jetstream/` de cada nodo; en single-node es el
+  archivo SQLite `local_files/unibus.db`. Hoy **no hay cifrado at-rest**: con root en un nodo se
+  pueden leer subjects de salas, la pertenencia (quién está en qué sala con qué rol), los handles
+  y roles de los usuarios, y las claves públicas (signPub/kexPub). No se exponen mensajes (E2E) ni
+  se pueden descifrar salas (claves selladas), pero sí toda la topología.
+
+Tras este issue, los buckets/archivos del control plane quedan cifrados en disco con una clave por
+nodo gestionada fuera de git. El modelo de amenaza pasa de "root del nodo ve la topología" a "root
+del nodo necesita además la clave at-rest (que puede vivir en un secreto separado / TPM / variable
+de entorno inyectada) para leer cualquier cosa".
+
+# Contexto técnico
+
+- NATS Server / JetStream soporta **encryption at-rest** nativo: se configura una cifra
+  (`aes` o `chacha20`) y una clave; JetStream cifra los ficheros de los streams/KV en disco. El
+  bus usa un NATS **embebido** (`pkg/embeddednats`), así que la activación es por opciones del
+  servidor embebido, no por un `nats-server.conf` externo.
+- Para el backend SQLite (single-node) el equivalente sería SQLCipher o cifrado a nivel de
+  archivo/FS; queda como sub-tarea de menor prioridad porque el despliegue real es cluster (KV).
+
+# Tareas
+
+1. Confirmar la API de encryption-at-rest del NATS embebido en la versión usada (opción de
+   servidor para cipher + clave; cómo se pasa la clave de forma que no quede en argv ni en git).
+2. Activar el cifrado en `pkg/embeddednats` detrás de una opción de configuración. La clave se
+   inyecta por archivo (`--jetstream-encryption-key-file`, 0600, junto a las claves TLS del nodo)
+   o variable de entorno desde el unit systemd; nunca en argv ni commiteada.
+3. `cmd/membershipd`: flag/env para la clave + reflejar el estado en la posture publicada en
+   `/healthz` (p.ej. `"at_rest":true`) para que el monitor lo verifique.
+4. `deploy/cluster`: provisionar la clave at-rest por nodo (generación + `pass`/secrets gitignored)
+   y cablearla en `cluster.env` + el unit. Documentar en el runbook.
+5. **Migración del store existente** (gotcha crítico): JetStream no re-cifra retroactivamente los
+   datos ya escritos en claro. Diseñar y documentar el procedimiento seguro para el cluster en
+   producción (probable: backup → exportar snapshot del control plane → parar nodo → recrear el
+   store con la clave activa → re-importar; o rotación nodo a nodo aprovechando la replicación R3).
+   Respetar la regla de migraciones (aditivo, sin pérdida de datos).
+6. Tests: arrancar un nodo con clave at-rest, escribir un user/room, y verificar que el fichero en
+   disco **no** contiene en claro un subject/handle conocido (grep negativo), y que el nodo sigue
+   leyéndolos con la clave. Verificar que sin la clave el store no se abre.
+
+# Definition of Done
+
+- Cifrado at-rest activo en los 3 nodos del cluster; `/healthz` lo refleja en la posture.
+- Evidencia ejecutable: un valor conocido (subject de sala / handle de usuario) **no** aparece en
+  claro al hacer `grep` sobre `local_files/jetstream/`; el nodo lo sigue sirviendo con la clave.
+- Procedimiento de migración probado sobre datos reales sin pérdida (snapshot/restore verificado).
+- La clave at-rest nunca está en git ni en argv; vive en archivo 0600 / secreto inyectado.
+- No baja ninguna otra capa de seguridad (enforce + ACL + TLS + E2E + sealed keys intactas).
+
+# Notas
+
+Aditivo y ortogonal al resto de la seguridad: TLS protege en tránsito, E2E el contenido, las claves
+de room van selladas; este issue cierra el último hueco (metadatos de control en claro en disco)
+para el modelo de amenaza "VPS comprometido / disco robado". Prioridad media: el despliegue ya es
+seguro frente a ataques de red (enforce+TLS+ACL); esto endurece frente a compromiso físico/root del
+host. Relacionado con el endurecimiento de los issues 0004/0005/0006.

web/src/App.tsx

@@ -1,11 +1,44 @@
-import { useState } from "react";
+import { useEffect, useState } from "react";
+import { Center, Loader } from "@mantine/core";
 import { Login } from "./Login";
 import { ChatShell } from "./ChatShell";
+import { api } from "./api";
 import type { User } from "./types";
 
+// shortEndpoint hace legible el endpoint id del operador para mostrarlo como
+// handle por defecto cuando no se escribió uno en el login.
+function shortEndpoint(ep: string) {
+  return ep.slice(0, 8);
+}
+
 export function App() {
   const [user, setUser] = useState<User | null>(null);
+  const [checking, setChecking] = useState(true);
 
-  if (!user) return <Login onLogin={setUser} />;
-  return <ChatShell user={user} onLogout={() => setUser(null)} />;
+  // Al montar, comprueba si ya hay una sesión viva en el gateway (cookie). Si la
+  // hay, entra directo; si no (401), muestra el login.
+  useEffect(() => {
+    api
+      .me()
+      .then((me) =>
+        setUser({ id: me.endpoint, handle: shortEndpoint(me.endpoint) }),
+      )
+      .catch(() => {})
+      .finally(() => setChecking(false));
+  }, []);
+
+  const logout = () => {
+    void api.logout().catch(() => {});
+    setUser(null);
+  };
+
+  if (checking) {
+    return (
+      <Center h="100vh" bg="dark.9">
+        <Loader color="brand" />
+      </Center>
+    );
+  }
+  if (!user) return <Login onLogin={setUser} />;
+  return <ChatShell user={user} onLogout={logout} />;
 }

web/src/ChatPanel.tsx

@@ -19,7 +19,8 @@ import {
   IconDotsVertical,
   IconPaperclip,
 } from "@tabler/icons-react";
-import type { Message, Room, User } from "./types";
+import { api, streamRoom } from "./api";
+import type { Message, Room } from "./types";
 
 function initials(s: string) {
   return s.replace(/[^a-z0-9]/gi, "").slice(0, 2).toUpperCase() || "?";
@@ -54,22 +55,30 @@ function MessageRow({ msg }: { msg: Message }) {
   );
 }
 
-export function ChatPanel({
-  room,
-  user,
-}: {
-  room: Room | undefined;
-  user: User;
-}) {
+export function ChatPanel({ room }: { room: Room | undefined }) {
   const [draft, setDraft] = useState("");
-  const [extra, setExtra] = useState<Record<string, Message[]>>({});
+  const [messages, setMessages] = useState<Message[]>([]);
+  const [sendError, setSendError] = useState<string | null>(null);
   const viewport = useRef<HTMLDivElement>(null);
 
-  const msgs = room ? [...room.messages, ...(extra[room.id] ?? [])] : [];
+  // Abre el stream SSE de la room activa. El gateway entrega historia (rooms
+  // persistidas) y luego mensajes en vivo, ya descifrados. Dedup por id porque
+  // un re-render no debe duplicar y el eco del propio envío llega por aquí.
+  useEffect(() => {
+    setMessages([]);
+    setSendError(null);
+    if (!room) return;
+    const close = streamRoom(room.id, (m) => {
+      setMessages((prev) =>
+        prev.some((p) => p.id === m.id) ? prev : [...prev, m],
+      );
+    });
+    return close;
+  }, [room?.id]);
 
   useEffect(() => {
     viewport.current?.scrollTo({ top: viewport.current.scrollHeight });
-  }, [room?.id, msgs.length]);
+  }, [room?.id, messages.length]);
 
   if (!room) {
     return (
@@ -79,18 +88,19 @@ export function ChatPanel({
     );
   }
 
-  const send = () => {
+  const send = async () => {
     const body = draft.trim();
     if (!body) return;
-    const msg: Message = {
-      id: `local-${Date.now()}`,
-      sender: user.handle,
-      body,
-      ts: Date.now(),
-      mine: true,
-    };
-    setExtra((e) => ({ ...e, [room.id]: [...(e[room.id] ?? []), msg] }));
     setDraft("");
+    setSendError(null);
+    try {
+      // No optimista: el mensaje propio vuelve por SSE con su id real (mine:true),
+      // evitando duplicados.
+      await api.send(room.id, body);
+    } catch (e) {
+      setDraft(body); // restaura el borrador si el envío falló
+      setSendError(e instanceof Error ? e.message : "No se pudo enviar");
+    }
   };
 
   return (
@@ -126,13 +136,18 @@ export function ChatPanel({
 
       <ScrollArea style={{ flex: 1 }} viewportRef={viewport}>
         <Stack gap="lg" p="md">
-          {msgs.map((m) => (
+          {messages.map((m) => (
             <MessageRow key={m.id} msg={m} />
           ))}
         </Stack>
       </ScrollArea>
 
       <Divider color="dark.4" />
+      {sendError && (
+        <Text c="red" size="xs" px="sm" pt={4}>
+          {sendError}
+        </Text>
+      )}
       <Group p="sm" gap="xs" wrap="nowrap">
         <ActionIcon variant="subtle" color="gray" size="lg">
           <IconPaperclip size={18} />
@@ -143,14 +158,14 @@ export function ChatPanel({
           placeholder={`Mensaje a ${room.name}`}
           value={draft}
           onChange={(e) => setDraft(e.currentTarget.value)}
-          onKeyDown={(e) => e.key === "Enter" && send()}
+          onKeyDown={(e) => e.key === "Enter" && void send()}
         />
         <ActionIcon
           size="lg"
           radius="xl"
           variant="filled"
           color="brand"
-          onClick={send}
+          onClick={() => void send()}
           disabled={!draft.trim()}
         >
           <IconSend size={18} />

web/src/ChatShell.tsx

@@ -1,9 +1,9 @@
-import { useState } from "react";
-import { Flex, Box } from "@mantine/core";
+import { useCallback, useEffect, useState } from "react";
+import { Flex, Box, Center, Loader, Stack, Text, Button } from "@mantine/core";
 import { Sidebar } from "./Sidebar";
 import { ChatPanel } from "./ChatPanel";
-import { MOCK_ROOMS } from "./mock";
-import type { User } from "./types";
+import { api } from "./api";
+import type { Room, User } from "./types";
 
 export function ChatShell({
   user,
@@ -12,10 +12,59 @@ export function ChatShell({
   user: User;
   onLogout: () => void;
 }) {
-  const [rooms] = useState(MOCK_ROOMS);
-  const [activeId, setActiveId] = useState<string>(rooms[0]?.id ?? "");
+  const [rooms, setRooms] = useState<Room[]>([]);
+  const [activeId, setActiveId] = useState<string>("");
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  const load = useCallback(() => {
+    setLoading(true);
+    api
+      .listRooms()
+      .then((rs) => {
+        setRooms(rs);
+        setActiveId((cur) => cur || rs[0]?.id || "");
+        setError(null);
+      })
+      .catch((e) => setError(e?.message ?? "No se pudieron cargar las rooms"))
+      .finally(() => setLoading(false));
+  }, []);
+
+  useEffect(() => {
+    load();
+  }, [load]);
+
   const active = rooms.find((r) => r.id === activeId);
 
+  // El panel derecho muestra el estado de carga/error/empty sin tocar el layout.
+  let panel = <ChatPanel room={active} />;
+  if (loading && rooms.length === 0) {
+    panel = (
+      <Center h="100%">
+        <Loader color="brand" />
+      </Center>
+    );
+  } else if (error) {
+    panel = (
+      <Center h="100%">
+        <Stack align="center" gap="sm">
+          <Text c="red" size="sm">
+            {error}
+          </Text>
+          <Button variant="light" color="brand" onClick={load}>
+            Reintentar
+          </Button>
+        </Stack>
+      </Center>
+    );
+  } else if (rooms.length === 0) {
+    panel = (
+      <Center h="100%">
+        <Text c="dimmed">No perteneces a ninguna room todavía</Text>
+      </Center>
+    );
+  }
+
   return (
     <Flex h="100vh" w="100vw" style={{ overflow: "hidden" }}>
       <Box
@@ -36,7 +85,7 @@ export function ChatShell({
         />
       </Box>
       <Box flex={1} h="100%" bg="dark.7" style={{ minWidth: 0 }}>
-        <ChatPanel room={active} user={user} />
+        {panel}
       </Box>
     </Flex>
   );

web/src/Login.tsx

@@ -11,15 +11,29 @@ import {
   Title,
 } from "@mantine/core";
 import { IconShieldLock, IconKey } from "@tabler/icons-react";
+import { api, ApiError } from "./api";
 import type { User } from "./types";
 
 export function Login({ onLogin }: { onLogin: (u: User) => void }) {
   const [handle, setHandle] = useState("");
   const [password, setPassword] = useState("");
+  const [busy, setBusy] = useState(false);
+  const [error, setError] = useState<string | null>(null);
   const ready = handle.trim().length > 0 && password.length > 0;
-  const connect = () => {
-    const h = handle.trim();
-    if (ready) onLogin({ id: h, handle: h });
+  const connect = async () => {
+    if (!ready || busy) return;
+    setBusy(true);
+    setError(null);
+    try {
+      // La contraseña desbloquea la sesión del gateway (passphrase del operador).
+      // El handle es solo el nombre a mostrar en esta iteración (wallet = fase 2).
+      const me = await api.login(password);
+      const h = handle.trim() || me.endpoint.slice(0, 8);
+      onLogin({ id: me.endpoint, handle: h });
+    } catch (e) {
+      setError(e instanceof ApiError ? e.message : "No se pudo conectar al gateway");
+      setBusy(false);
+    }
   };
 
   return (
@@ -52,9 +66,20 @@ export function Login({ onLogin }: { onLogin: (u: User) => void }) {
             leftSection={<IconKey size={16} />}
             value={password}
             onChange={(e) => setPassword(e.currentTarget.value)}
-            onKeyDown={(e) => e.key === "Enter" && connect()}
+            onKeyDown={(e) => e.key === "Enter" && void connect()}
           />
-          <Button w="100%" size="md" onClick={connect} disabled={!ready}>
+          {error && (
+            <Text c="red" size="sm" ta="center">
+              {error}
+            </Text>
+          )}
+          <Button
+            w="100%"
+            size="md"
+            onClick={() => void connect()}
+            disabled={!ready}
+            loading={busy}
+          >
             Conectar
           </Button>
         </Stack>

web/src/api.ts

@@ -0,0 +1,131 @@
+// La única capa por la que la SPA habla con el bus. Cada llamada va al gateway Go
+// bajo /api; el gateway mantiene la sesión `pkg/client` (peer autenticado del
+// bus), cifra/descifra por room y traduce a REST/SSE. El navegador nunca firma,
+// nunca habla NATS y nunca ve una clave privada: solo guarda una cookie de
+// sesión opaca (HttpOnly) que el gateway emite tras el login.
+import type { MeInfo, Message, MsgWire, Room, RoomWire } from "./types";
+
+export class ApiError extends Error {
+  status: number;
+  constructor(message: string, status: number) {
+    super(message);
+    this.status = status;
+  }
+}
+
+async function req<T>(path: string, init?: RequestInit): Promise<T> {
+  const res = await fetch(path, {
+    // same-origin envía la cookie de sesión automáticamente (también detrás del
+    // proxy de vite en dev).
+    credentials: "same-origin",
+    headers: { "Content-Type": "application/json" },
+    ...init,
+  });
+  const text = await res.text();
+  let body: unknown = null;
+  if (text) {
+    try {
+      body = JSON.parse(text);
+    } catch {
+      body = text;
+    }
+  }
+  if (!res.ok) {
+    const msg =
+      body && typeof body === "object" && "error" in body
+        ? String((body as { error: unknown }).error)
+        : `HTTP ${res.status}`;
+    throw new ApiError(msg, res.status);
+  }
+  return body as T;
+}
+
+// roomFromWire mapea la fila del gateway al tipo Room que consume la UI. Los
+// mensajes NO viven aquí: llegan por stream(). lastMessage/lastTs/unread se
+// rellenan de forma neutra para no inventar datos (la cabecera de la sidebar se
+// alimentará del stream en una iteración futura).
+export function roomFromWire(r: RoomWire): Room {
+  return {
+    id: r.id,
+    name: r.name || r.subject,
+    encrypted: r.encrypt,
+    lastMessage: "",
+    lastTs: 0,
+    unread: 0,
+    messages: [],
+  };
+}
+
+// messageFromWire mapea un frame descifrado del SSE al tipo Message de la UI.
+export function messageFromWire(m: MsgWire): Message {
+  return {
+    id: m.id,
+    sender: m.sender,
+    body: m.body,
+    ts: m.ts,
+    mine: m.mine,
+  };
+}
+
+export const api = {
+  // ---- sesión -------------------------------------------------------------
+  // login desbloquea la sesión del gateway con la passphrase del operador. El
+  // gateway responde con una cookie de sesión; me() comprueba si ya hay una.
+  login: (passphrase: string) =>
+    req<MeInfo>("/api/login", {
+      method: "POST",
+      body: JSON.stringify({ passphrase }),
+    }),
+  logout: () => req<{ status: string }>("/api/logout", { method: "POST" }),
+  me: () => req<MeInfo>("/api/me"),
+
+  // ---- rooms --------------------------------------------------------------
+  listRooms: async (): Promise<Room[]> => {
+    const wire = await req<RoomWire[]>("/api/rooms");
+    return wire.map(roomFromWire);
+  },
+  // createRoom: {subject, encrypted} basta — el gateway deriva la policy
+  // Matrix-like (cifrada + persistida + firmada) por defecto.
+  createRoom: async (subject: string, encrypted = true): Promise<Room> => {
+    const r = await req<RoomWire>("/api/rooms", {
+      method: "POST",
+      body: JSON.stringify({ subject, encrypted }),
+    });
+    return roomFromWire(r);
+  },
+  join: (roomID: string) =>
+    req<{ status: string }>(
+      `/api/rooms/${encodeURIComponent(roomID)}/join`,
+      { method: "POST" },
+    ),
+  send: (roomID: string, body: string) =>
+    req<{ status: string }>(
+      `/api/rooms/${encodeURIComponent(roomID)}/send`,
+      { method: "POST", body: JSON.stringify({ body }) },
+    ),
+};
+
+// streamRoom abre el SSE de una room y llama onMessage por cada frame descifrado
+// (historia primero en rooms persistidas, luego en vivo). Devuelve una función
+// de cierre. EventSource manda la cookie de sesión automáticamente y reconecta
+// solo si la conexión cae; onError se invoca en cada corte para que la UI pueda
+// reflejar el estado.
+export function streamRoom(
+  roomID: string,
+  onMessage: (m: Message) => void,
+  onError?: (e: Event) => void,
+): () => void {
+  const es = new EventSource(
+    `/api/rooms/${encodeURIComponent(roomID)}/stream`,
+  );
+  es.onmessage = (ev) => {
+    try {
+      const wire = JSON.parse(ev.data) as MsgWire;
+      onMessage(messageFromWire(wire));
+    } catch {
+      // frame malformado: se ignora, el stream sigue.
+    }
+  };
+  if (onError) es.onerror = onError;
+  return () => es.close();
+}

web/src/types.ts

@@ -1,5 +1,5 @@
-// Tipos de dominio de la UI. En la iteración 1 se llenan con datos mock;
-// más adelante vendrán del gateway (REST/SSE) que es un peer del bus.
+// Tipos de dominio de la UI. Los datos vienen del gateway Go (REST/SSE), que es
+// un peer autenticado del bus. El navegador nunca firma ni habla NATS.
 
 export interface User {
   id: string;
@@ -8,7 +8,7 @@ export interface User {
 
 export interface Message {
   id: string;
-  sender: string; // handle
+  sender: string; // endpoint id del remitente (handle legible es fase 2)
   body: string;
   ts: number; // epoch ms
   mine?: boolean;
@@ -23,3 +23,33 @@ export interface Room {
   unread: number;
   messages: Message[];
 }
+
+// ---- formas de la API del gateway (wire) ---------------------------------
+
+// MeInfo es la identidad del operador que el gateway encarna (GET /api/me).
+export interface MeInfo {
+  endpoint: string;
+  sign_pub: string;
+}
+
+// RoomWire es la fila de room que devuelve el gateway (GET /api/rooms). No trae
+// mensajes: estos llegan por SSE (GET /api/rooms/{id}/stream).
+export interface RoomWire {
+  id: string;
+  subject: string;
+  name: string;
+  epoch: number;
+  encrypt: boolean;
+  persist: boolean;
+  sign_msgs: boolean;
+  role: string;
+}
+
+// MsgWire es un mensaje ya descifrado que el gateway empuja por SSE.
+export interface MsgWire {
+  id: string;
+  sender: string;
+  body: string;
+  ts: number;
+  mine: boolean;
+}

web/vite.config.ts

@@ -3,5 +3,12 @@ import react from "@vitejs/plugin-react";
 
 export default defineConfig({
   plugins: [react()],
-  server: { host: true, port: 5181 },
+  // En dev, /api (REST + SSE) se proxea al gateway Go (cmd/webgw, puerto 8481).
+  // El proxy hace streaming, así que el SSE de /api/rooms/{id}/stream funciona a
+  // través de él. En producción el gateway sirve el dist embebido y no hay proxy.
+  server: {
+    host: true,
+    port: 5181,
+    proxy: { "/api": "http://127.0.0.1:8481" },
+  },
 });