feat(dashboard): Embedded Isometric System Dashboard#176
Open
Tuntii wants to merge 11 commits into
Open
Conversation
Adds a self-contained, feature-gated admin dashboard surface under
`/__rustapi/dashboard` behind the `core-dashboard` feature flag.
What's new:
- `rustapi-core/dashboard` module with DashboardMetrics, DashboardConfig,
DashboardAuth, routes::dispatch(), and dashboard.html SPA
- DashboardMetrics: zero-overhead atomic counters for three execution
paths (UltraFast / Fast / Full), per-route hit counts via dashmap
- DashboardConfig builder: .admin_token(), .path(), .title()
- Four endpoints: HTML SPA (no auth), /api/snapshot, /api/routes,
/api/metrics (Bearer token auth)
- Dark glassmorphism SPA with isometric execution-path canvas,
stat cards, RPS sparkline (Chart.js 4.4 CDN), auto-refresh 3s
- server.rs: execution-path instrumentation (cfg-gated, zero cost off)
- app.rs: .dashboard(DashboardConfig) builder + apply_dashboard()
- rustapi-rs facade: core-dashboard feature, re-exports, prelude, full bundle
- Public API snapshot updated
- 16 integration tests (config, metrics, auth, dispatch endpoints)
Usage:
rustapi-rs = { version = "*", features = ["core-dashboard"] }
RustApi::new()
.route("/api/users", get(list_users))
.dashboard(DashboardConfig::new().admin_token("secret"))
.run("127.0.0.1:8080")
.await
Tuntii
added
enhancement
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new feature-gated embedded admin dashboard to RustAPI, exposing an HTML SPA plus JSON endpoints and instrumenting the server hot-path to collect execution-path and per-route metrics.
Changes:
- Introduces
rustapi-coredashboardmodule (config/auth/metrics/routes + embedded HTML) and wires it intoRustApiand request handling under a feature flag. - Exposes dashboard types through
rustapi-rs(core-dashboardfeature) and updates the all-features public API snapshot. - Adds
dashmapas an optional dependency and includes integration tests for the dashboard module.
Reviewed changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/rustapi-rs/src/lib.rs | Adds dashboard module + re-exports under core-dashboard (also changes legacy root alias surface). |
| crates/rustapi-rs/Cargo.toml | Adds core-dashboard feature and includes it in full. |
| crates/rustapi-core/tests/dashboard_tests.rs | Adds integration tests for config, metrics, auth behavior, and dispatch routing. |
| crates/rustapi-core/src/server.rs | Adds metrics timing + execution-path classification + request recording (feature-gated). |
| crates/rustapi-core/src/lib.rs | Exposes dashboard module and re-exports dashboard types when enabled. |
| crates/rustapi-core/src/dashboard/routes.rs | Adds dispatch + handlers for HTML + JSON endpoints. |
| crates/rustapi-core/src/dashboard/mod.rs | Adds module entry point and re-exports dashboard types. |
| crates/rustapi-core/src/dashboard/metrics.rs | Adds atomic counters + per-route DashMap + snapshot builder. |
| crates/rustapi-core/src/dashboard/dashboard.html | Adds embedded SPA (Chart.js + isometric canvas + auto-refresh). |
| crates/rustapi-core/src/dashboard/config.rs | Adds builder-style DashboardConfig (token/path/title). |
| crates/rustapi-core/src/dashboard/auth.rs | Adds Bearer-token guard for JSON endpoints. |
| crates/rustapi-core/src/app.rs | Adds .dashboard() API and registers dashboard routes + state. |
| crates/rustapi-core/Cargo.toml | Adds optional dashmap dependency and dashboard feature. |
| Cargo.lock | Locks dashmap addition. |
| api/public/rustapi-rs.all-features.txt | Updates published all-features API surface to include dashboard exports. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+231
to
235
| /// Dashboard module: embedded isometric system dashboard. | ||
| #[cfg(feature = "core-dashboard")] | ||
| pub mod dashboard { | ||
| pub use rustapi_core::dashboard::{DashboardConfig, DashboardMetrics, DashboardSnapshot}; | ||
| } |
Comment on lines
+1294
to
+1296
| // Register dashboard routes | ||
| let prefix = config.path.trim_end_matches('/').to_owned(); | ||
|
|
Comment on lines
+129
to
+136
| let entry = self.route_counters.entry(path.to_string()).or_default(); | ||
| entry.hits.fetch_add(1, Ordering::Relaxed); | ||
| entry | ||
| .total_latency_ms | ||
| .fetch_add(duration_ms, Ordering::Relaxed); | ||
| if is_error { | ||
| entry.errors.fetch_add(1, Ordering::Relaxed); | ||
| } |
Comment on lines
+53
to
+56
| match (method, suffix) { | ||
| // HTML page — no auth required (browsers can't easily send Bearer headers) | ||
| ("GET", "" | "index.html") => Some(serve_html()), | ||
|
|
Comment on lines
+363
to
+370
| function getToken() { | ||
| // 1. URL ?token= | ||
| const p = new URLSearchParams(window.location.search); | ||
| if (p.has('token')) return p.get('token'); | ||
| // 2. Input field | ||
| const inp = document.getElementById('token-input').value.trim(); | ||
| return inp || null; | ||
| } |
Contributor
There was a problem hiding this comment.
Applied in commit 802d1d6:
- Token URL stripping:
getToken()now only reads from the input field. OnDOMContentLoaded, if?token=is present it is moved into the password input and immediately stripped from the address bar viahistory.replaceState— it will not appear in browser history or server logs. - Strict referrer policy: Added
<meta name="referrer" content="no-referrer">so noRefererheader is sent on any sub-requests. - Removed CDN dependency: Dropped the Chart.js
<script>tag entirely and replaced the RPS sparkline with a self-contained Canvas 2D implementation (drawRpsChart()), so no third-party asset can receive the token viaReferer.
Comment on lines
+11
to
+12
| /// Returns `Ok(())` if the token is valid or if `expected` is `None` (no auth configured). | ||
| /// Returns an HTTP 401/403 response on failure. |
Comment on lines
+25
to
+45
| Some(value) if value.starts_with("Bearer ") => { | ||
| let token = &value["Bearer ".len()..]; | ||
| if token == expected { | ||
| Ok(()) | ||
| } else { | ||
| Err(json_response( | ||
| StatusCode::UNAUTHORIZED, | ||
| json!({ | ||
| "error": "unauthorized", | ||
| "message": "Invalid admin token" | ||
| }), | ||
| )) | ||
| } | ||
| } | ||
| Some(_) => Err(json_response( | ||
| StatusCode::UNAUTHORIZED, | ||
| json!({ | ||
| "error": "unauthorized", | ||
| "message": "Expected 'Authorization: Bearer <token>'" | ||
| }), | ||
| )), |
Comment on lines
+35
to
+41
| /// Create a dashboard configuration with secure defaults. | ||
| pub fn new() -> Self { | ||
| Self { | ||
| admin_token: None, | ||
| path: "/__rustapi/dashboard".to_string(), | ||
| title: "RustAPI System Dashboard".to_string(), | ||
| } |
Comment on lines
+53
to
+58
| /// Override the URL prefix for the dashboard. | ||
| /// | ||
| /// Must start with `/`. Default: `"/__rustapi/dashboard"`. | ||
| pub fn path(mut self, path: impl Into<String>) -> Self { | ||
| self.path = path.into(); | ||
| self |
… release-drafter v7 token/autolabeler
Add a repository hook and PowerShell guardrail script that runs on PreToolUse. The hook (.github/hooks/rustapi-guardrails.json) invokes .github/scripts/copilot_guardrails.ps1 cross-platform (powershell/pwsh) with a 10s timeout. The script parses the incoming JSON payload, emits contextual reminders for public API, changelogs, examples, and Rust source changes, and detects potentially destructive terminal/git commands (e.g. git push, reset --hard, git clean, gh pr merge, recursive deletions). When dangerous patterns are found it returns a permissionDecision 'ask' with a reason; otherwise it returns non-blocking reminder messages via the systemMessage field.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
… referrer policy Agent-Logs-Url: https://github.com/Tuntii/RustAPI/sessions/c570ed7b-0217-4b5b-a1c2-4e5d05ea977e Co-authored-by: Tuntii <121901995+Tuntii@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a self-contained, feature-gated admin dashboard at
/__rustapi/dashboardbehind thecore-dashboardfeature flag (disabled by default, zero cost when off).New Files
dashboard/metrics.rsDashboardMetrics— atomic UltraFast/Fast/Full counters + per-routedashmapdashboard/config.rsDashboardConfigbuilder (.admin_token(),.path(),.title())dashboard/auth.rsDashboardAuth::check()— Bearer token guarddashboard/routes.rsdispatch()— 4 endpoints (HTML + 3 JSON)dashboard/dashboard.htmltests/dashboard_tests.rsEndpoints
GET/__rustapi/dashboardGET/__rustapi/dashboard/api/snapshotGET/__rustapi/dashboard/api/routesGET/__rustapi/dashboard/api/metricsUI Highlights
?token=or header inputExecution-Path Tracking
server.rsnow classifies each request into the same three paths used internally and records it on theDashboardMetricsatomics. Instrumentation is wrapped in#[cfg(feature = "dashboard")]— zero impact when disabled, including on the UltraFast path.Usage
Then open
http://localhost:8080/__rustapi/dashboard?token=my-secret-tokenin your browser.Checklist
cargo check --workspace— PASScargo clippy -p rustapi-core --features dashboard -- -D warnings— PASScargo fmt --all -- --check— PASScargo test -p rustapi-core --features dashboard --test dashboard_tests— 16/16 PASSapi/public/rustapi-rs.all-features.txt)