dashboard: per-container applied agent.nix viewer

new GET /api/agent-config/{name} returns the contents of /var/lib/hyperhive/applied/<name>/agent.nix — the file the container actually builds against. validated against the live container list to avoid arbitrary filesystem reads. frontend mirrors the journald viewer: collapsed <details> on each container row, lazy-fetches on expand, refresh button re-fetches. restore-keyed (agent-config:<name>) so it survives the dashboard heartbeat refresh. read-only — mutating the applied config goes through the existing request_apply_commit + operator approval flow.
2026-05-15 21:46:25 +02:00 · 2026-05-15 21:46:25 +02:00 · 91c78d626f
commit 91c78d626f
parent 80229c6af9
3 changed files with 70 additions and 9 deletions
--- a/hive-c0re/src/dashboard.rs
+++ b/hive-c0re/src/dashboard.rs
@ -54,6 +54,7 @@ pub async fn serve(port: u16, coord: Arc<Coordinator>) -> Result<()> {
        .route("/cancel-question/{id}", post(post_cancel_question))
        .route("/purge-tombstone/{name}", post(post_purge_tombstone))
        .route("/api/journal/{name}", get(get_journal))
+        .route("/api/agent-config/{name}", get(get_agent_config))
        .route("/request-spawn", post(post_request_spawn))
        .route("/messages/stream", get(messages_stream))
        .with_state(AppState { coord });
@ -548,6 +549,30 @@ async fn get_journal(
    }
 }

+/// Show the current `agent.nix` from the applied repo — the file
+/// the container actually builds against. Read-only; the manager
+/// can't influence what this returns (that path goes through the
+/// approval queue).
+async fn get_agent_config(AxumPath(name): AxumPath<String>) -> Response {
+    let logical = strip_container_prefix(&name);
+    // Constrain to managed containers — same shape as the journal
+    // endpoint, prevents arbitrary filesystem reads.
+    let live = lifecycle::list().await.unwrap_or_default();
+    let prefixed = if logical == lifecycle::MANAGER_NAME {
+        logical.clone()
+    } else {
+        format!("{}{logical}", lifecycle::AGENT_PREFIX)
+    };
+    if !live.iter().any(|c| c == &prefixed) {
+        return error_response(&format!("agent-config: no managed container {prefixed:?}"));
+    }
+    let path = Coordinator::agent_applied_dir(&logical).join("agent.nix");
+    match std::fs::read_to_string(&path) {
+        Ok(body) => ([("content-type", "text/plain; charset=utf-8")], body).into_response(),
+        Err(e) => error_response(&format!("read {}: {e}", path.display())),
+    }
+}
+
 async fn post_purge_tombstone(
    State(state): State<AppState>,
    AxumPath(name): AxumPath<String>,