VaultMesh Command Center
Minimal, no-bloat control plane for VaultMesh nodes.
- Rust backend (Axum) with server-rendered HTML (HTMX-ready)
- Node agent (Rust daemon) that runs on each VaultMesh node
- Zero external infra deps (no Redis, Kafka, k8s)
- Cloudflare-native: fronted by Cloudflare Tunnel + Access
Repository Layout
vaultmesh-command-center/
├── Cargo.toml # Workspace manifest
├── README.md
├── .gitignore
├── command-center/ # Backend + Web UI
│ ├── Cargo.toml
│ └── src/
│ ├── main.rs # Entry point, server setup
│ ├── routes.rs # HTTP handlers
│ └── state.rs # AppState, in-memory node store
├── node-agent/ # Daemon for each VaultMesh node
│ ├── Cargo.toml
│ └── src/
│ ├── main.rs # Heartbeat loop
│ └── config.rs # Env config loader
├── docs/
│ ├── ARCHITECTURE.md # How it all fits together
│ └── NODE_AGENT_CONTRACT.md # Agent API spec
└── systemd/
├── vaultmesh-command-center.service
└── vaultmesh-node-agent.service
Quick Start
# Clone and build
git clone <your-url> vaultmesh-command-center
cd vaultmesh-command-center
# Run the command center locally
cd command-center
RUST_LOG=info cargo run
# listens on 127.0.0.1:8088
# In another terminal, run the agent (pointing at local CC)
cd ../node-agent
RUST_LOG=info VAULTMESH_OS_PROFILE=ArchVault cargo run
Then:
- Put the Command Center behind a Cloudflare Tunnel.
- Protect it with Cloudflare Access.
- Install the node agent as a systemd service on each VaultMesh node.
Deployment
Command Center
-
Build release binary:
cargo build --release -p vaultmesh-command-center -
Copy to
/usr/local/bin/:sudo cp target/release/vaultmesh-command-center /usr/local/bin/ -
Install systemd unit:
sudo cp systemd/vaultmesh-command-center.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now vaultmesh-command-center -
Configure Cloudflare Tunnel to point at
http://127.0.0.1:8088.
Node Agent
-
Build release binary:
cargo build --release -p vaultmesh-node-agent -
Copy to each node:
sudo cp target/release/vaultmesh-node-agent /usr/local/bin/ -
Create environment file
/etc/vaultmesh/agent.env:VAULTMESH_CC_URL=https://cc.your-domain.example VAULTMESH_OS_PROFILE=ArchVault VAULTMESH_ROOT=/var/lib/vaultmesh VAULTMESH_HEARTBEAT_SECS=30 -
Install systemd unit:
sudo cp systemd/vaultmesh-node-agent.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable --now vaultmesh-node-agent
API Endpoints
| Method | Path | Description |
|---|---|---|
| GET | / |
HTML dashboard showing all nodes |
| GET | /nodes |
JSON array of all node heartbeats |
| GET | /nodes/:id |
Node detail page (HTML) |
| POST | /nodes/:id/commands |
Queue command for node (web form or API) |
| POST | /api/agent/heartbeat |
Agent heartbeat endpoint |
| GET | /api/agent/commands?node_id=<uuid> |
Agent polls for pending commands |
| POST | /api/agent/command-result |
Agent reports command execution result |
Fleet Operation Model (V0.5)
Green fleet:
- Attention =
OK. - Heartbeats fresh (age <
VAULTMESH_HEARTBEAT_STALE_MINUTES). - Last scan age <
VAULTMESH_SCAN_STALE_HOURS. - No critical or high findings.
Yellow/Red fleet:
Check Attention reasons in order:
heartbeat_stale→ connectivity / host issue.cloudflare_down/services_down→ control plane or local service failure.never_scanned/scan_stale→ wait for scheduler or trigger manual scan (if policy allows).critical_findings/high_findings→ prioritize remediation on that node.
Policy guardrail:
- Disallowed commands are blocked with HTTP 403.
- Scheduler respects policy;
sovereign-scanmust be allowed for a profile to be auto-queued.
Configuration
| Variable | Default | Description |
|---|---|---|
VAULTMESH_SCAN_INTERVAL_HOURS |
24 |
Auto-scan interval |
VAULTMESH_SCAN_STALE_HOURS |
48 |
Scan staleness threshold |
VAULTMESH_HEARTBEAT_STALE_MINUTES |
10 |
Heartbeat staleness |
VAULTMESH_SCHEDULER_TICK_SECONDS |
300 |
Scheduler tick interval |
VAULTMESH_CC_KEY_PATH |
cc-ed25519.key |
Command signing key path |
License
MIT