Layer8 Operator Console
The Layer8 Operator Console is a single-operator admin + observability web
console that fronts agent-locksmith's existing admin HTTPS API (:9201).
It replaces the docker exec + CLI + --since-ms epoch-millisecond ritual
with a visible, attributable, footgun-proof interface.
:::note Status The console is an in-progress prototype. A working preview is deployed at studio-1.taile222a3.ts.net/layer8-operator-console (reachable on the Tailnet). This page tracks the design; screens and behavior may change. :::
What it does
The console covers six screens, realizing 20 functional requirements over the operator routes already exposed by locksmith's admin listener:
- Catalog / Registrations — view and edit
model/tool/infraregistrations; surface silently-degraded (unresolved env var) entries. - Agents & ACL — list agents, edit allowlists/denylists, register/revoke, manage per-agent credential overrides.
- Audit Explorer — query the audit trail with human date pickers instead of
--since-mshand-math; filter by agent, tool, event class, decision. - OAuth Sessions — see session state and surface degraded sessions before a 503 hits an agent.
- Bootstrap Tokens — mint / list / revoke enrollment tokens.
- Health / Status — render
/livez,/readyz,/version— including the offendingtools[]when readiness reports unresolved credentials.
The load-bearing boundary
The console invents no new backend operation. Every action maps 1:1 to an admin route and a CLI verb that already ships in locksmith. It is a consumption contract over an existing surface, not a new subsystem.
Three design invariants shape every screen:
- Not a secret-management UI. The console renders credential shape, status, and attribution (env-var names, wired/degraded, override-vs- default) — never a value. The sole cleartext is a reveal-once modal for one-time secrets (a freshly minted bearer), shown once and never persisted.
- Footguns are unrepresentable, not warned. The OAuth-registration clobber, the ACL no-op/self-wipe, and the seed-vs-operator confusion the CLI permits are removed from the UI's expressible surface.
- Silent degradation is made loud. Degraded OAuth sessions and silently-no-injecting registrations surface on load, before an agent-facing 503/401.
Architecture
The console is a React + shadcn/ui + Tailwind SPA in front of a thin
backend-for-frontend (BFF). The BFF holds the operator bearer (or presents
a client certificate to the admin listener) server-side, issues the browser an
opaque HTTP-only, SameSite=Strict, Secure session cookie, and proxies each
browser call to https://<host>:9201/admin/operator/.... The browser never
sees the crown-jewel operator credential. The BFF holds no persistence and adds
no authorization logic — locksmith remains the sole authority behind :9201.
References
- PRD:
agents-stack/docs/prd/v0.5.0-operator-console.md— 20 FRs across 6 screens. - Design:
agents-stack/docs/spec/v0.5.0-operator-console.md— the technical design (BFF decision, screen-by-screen realization). - Anchor ADRs: ADR-0004 (kind taxonomy), ADR-0005 (OAuth credentials), ADR-0006 (1Password is the secret store), ADR-0007 (agent endpoints as model registrations).
See also
- Architecture — the broker/ACL/egress model the console renders.
- Agent Locksmith CLI reference — the CLI verbs the console mirrors.