/* ============================================================ acl_lenses.jsx — structured (novice) lenses over the policy model. Each lens parses the live policy text via ACLM.model, edits ONE block, serializes it back with a comment-preserving splice, and shares the same Review→check→diff→PUT save pipeline (LensShell). file mode is read-only in every lens. The raw "Policy" lens stays authoritative. ============================================================ */ /* ---- shared chrome + save pipeline (diff, lockout, concurrency) ---- */ // Heuristic guard: does the policy still grant a broad "reach everything" path? // (Not tied to any signed-in user — API-key auth is separate from ACL policy.) function hasBroadAccess(m) { return (m.acls || []).some((r) => (r.dst || []).some((d) => d === "*:*") && (r.src || []).length > 0); } function LensShell({ tab, setTab, mode, setMode, subtitle, dirty, canSave, syntaxErr, proposedText, baseText, loadedAt, onRevert, onSaved, children }) { const s = useStore(); const toast = useToast(); const readOnly = mode === "file"; const [showDiff, setShowDiff] = useState(false); const lockout = useMemo(() => { if (!proposedText) return false; const before = ACLM.model(baseText),after = ACLM.model(proposedText); return before && after && hasBroadAccess(before) && !hasBroadAccess(after); }, [proposedText, baseText]); const stale = loadedAt != null && s.aclPolicy.updatedAt !== loadedAt; const save = () => { HS.act.saveAcl(proposedText); toast.push({ kind: "success", title: "Policy saved", msg: "PUT /api/v1/policy" }); setShowDiff(false); onSaved && onSaved(); }; return (

Access controls {localStorage.setItem("hs.acldocs", (window.ACL_DOC_SECTION || {})[tab] || "how");setTab("docs");}} style={{ color: "var(--text-faint)" }}>

{subtitle}
{syntaxErr ? raw invalid : dirty ? unsaved : in sync}
{readOnly &&
Policy is file-managed (policy.mode: file). Every lens is read-only — PUT /api/v1/policy would fail. Switch the server to database mode to edit.
} {syntaxErr &&
The raw policy has a syntax error ({syntaxErr}). Fix it in the setTab("policy")}>Raw policy lens before using the structured editors.
} {!syntaxErr && children} {showDiff && setShowDiff(false)} footer={<>
{lockout && This removes the broad “reach everything” (*:*) rule — make sure it's intentional.} {stale && Policy changed on the server since you loaded it.}
}> }
); } /* ---- token chips & pickers ---- */ function kindMeta(kind) { return { user: { icon: "users", color: "var(--accent)" }, group: { icon: "users", color: "var(--info)" }, tag: { icon: "tag", color: "var(--info)" }, host: { icon: "dns", color: "var(--text-dim)" }, cidr: { icon: "routes", color: "var(--text-dim)" }, autogroup: { icon: "shield", color: "var(--warn)" }, wildcard: { icon: "globe", color: "var(--text-dim)" } }[kind] || { icon: "info", color: "var(--text-dim)" }; } function TokenChip({ token, onRemove, readOnly, title }) { const s = useStore(); const kind = ACLM.tokenKind(token); const meta = kindMeta(kind); const u = kind === "user" ? s.users.find((x) => x.name + "@" === token) : null; return ( {u ? : } {token} {!readOnly && onRemove && } ); } const PORT_PRESETS = ["*", "22", "80", "443", "53", "5432", "3389", "80,443"]; function DstChip({ token, onChangePorts, onRemove, readOnly }) { const { target, ports } = ACLM.splitDst(token); const kind = ACLM.tokenKind(target); const meta = kindMeta(kind); const [custom, setCustom] = useState(""); return ( {target} {readOnly ? :{ports} : :{ports}}>
Ports
{PORT_PRESETS.map((p) => onChangePorts(p)}>{p === "*" ? "* (all ports)" : p})}
setCustom(e.target.value)} onKeyDown={(e) => {if (e.key === "Enter" && custom.trim()) {onChangePorts(custom.trim());}}} />
} {!readOnly && onRemove && } ); } /* TokenPicker — menu of valid tokens for a context. ctx: "src" | "dst" | "owner" | "member" | "approver" | "sshuser" */ function TokenPicker({ ctx, base, onPick, exclude = [], readOnly, label = "Add" }) { const s = useStore(); const [customCidr, setCustomCidr] = useState(""); if (readOnly) return null; const ex = new Set(exclude); const users = s.users.filter((u) => !ex.has(u.name + "@")); const groups = Object.keys(base.groups || {}).filter((g) => !ex.has(g)); const tags = [...new Set([...Object.keys(base.tagOwners || {}), ...s.machines.flatMap((m) => m.tags || [])])].filter((t) => !ex.has(t)); const hosts = Object.keys(base.hosts || {}).filter((h) => !ex.has(h)); const autos = ACLM.AUTOGROUPS.filter((a) => a.ctx.includes(ctx)); const wantUsers = ["src", "dst", "owner", "member", "approver"].includes(ctx); const wantGroups = ["src", "dst", "owner", "approver"].includes(ctx); const wantTags = ["src", "dst", "approver"].includes(ctx); const wantHosts = ctx === "dst"; const wantWild = ctx === "src" || ctx === "dst"; const wantAuto = ctx === "src" || ctx === "dst"; const pick = (tok) => {onPick(ctx === "dst" ? ACLM.joinDst(tok, "*") : tok);}; return ( {label}}> {ctx === "member" &&
Users (members are users only)
} {ctx !== "member" && wantUsers &&
Users
} {wantUsers && users.map((u) => pick(u.name + "@")}>{u.name}{u.name}@)} {wantUsers && users.length === 0 &&
All added
} {wantGroups && groups.length > 0 &&
Groups
} {wantGroups && groups.map((g) => pick(g)}>{g})} {wantTags && tags.length > 0 &&
Tags
} {wantTags && tags.map((t) => pick(t)}>{t})} {wantHosts && hosts.length > 0 &&
Hosts
} {wantHosts && hosts.map((h) => pick(h)}>{h})} {wantAuto && autos.length > 0 &&
Special groups
} {wantAuto && autos.map((a) => pick(a.token)}>{a.label}{a.token})} {ctx === "sshuser" && <>
SSH login users
{["root", "ubuntu", "ops", "admin"].map((n) => onPick(n)}>{n})} {ACLM.SSH_USER_AUTOGROUPS.map((a) => onPick(a.token)}>{a.label}{a.token})}} {wantWild && <>
Wildcard
pick("*")}>Everything (*)} {ctx === "dst" &&
Custom CIDR / IP
setCustomCidr(e.target.value)} onKeyDown={(e) => {if (e.key === "Enter" && customCidr.trim()) {onPick(ACLM.joinDst(customCidr.trim(), "*"));setCustomCidr("");}}} />
} ); } /* ---- resolver: "what does this allow" ---- */ function ResolverLine({ rule, ctx }) { const summary = useMemo(() => { const srcSet = new Set(); (rule.src || []).forEach((t) => ACLM.machinesForToken(t, ctx).forEach((m) => srcSet.add(m.id))); const dstSet = new Set(); let internet = false; (rule.dst || []).forEach((d) => {const { target } = ACLM.splitDst(d);if (target === "autogroup:internet") internet = true;ACLM.machinesForToken(target, ctx).forEach((m) => dstSet.add(m.id));}); const srcWild = (rule.src || []).includes("*"); const dstWild = (rule.dst || []).some((d) => ACLM.splitDst(d).target === "*"); return { src: srcWild ? ctx.machines.length : srcSet.size, dst: dstWild ? ctx.machines.length : dstSet.size, srcWild, dstWild, internet }; }, [rule, ctx]); const seg = (n, wild) => wild ? "every machine" : `${n} machine${n !== 1 ? "s" : ""}`; return (
{seg(summary.src, summary.srcWild)} can reach {summary.internet ? the internet (exit nodes) : {seg(summary.dst, summary.dstWild)}}
); } /* ---- reachability simulator ---- */ function Reachability({ base, ctx }) { const s = useStore(); const [open, setOpen] = useState(false); const [src, setSrc] = useState(s.machines[0] ? s.machines[0].id : null); const [dst, setDst] = useState(s.machines[1] ? s.machines[1].id : null); const srcM = s.machines.find((m) => m.id === src); const dstM = s.machines.find((m) => m.id === dst); const result = useMemo(() => { if (!srcM || !dstM) return null; for (let i = 0; i < base.acls.length; i++) { const r = base.acls[i]; const srcOk = (r.src || []).some((t) => t === "*" || ACLM.machineMatches(t, srcM, ctx)); const dstOk = (r.dst || []).some((d) => {const { target } = ACLM.splitDst(d);return target === "*" || ACLM.machineMatches(target, dstM, ctx);}); if (srcOk && dstOk) return { allowed: true, ruleIndex: i, rule: r }; } return { allowed: false }; }, [srcM, dstM, base, ctx]); const MachineSelect = ({ value, onChange }) => {(s.machines.find((m) => m.id === value) || {}).name || "—"}
}> {s.machines.map((m) => onChange(m.id)}>{m.name}{m.ip4})}
; return (
setOpen((v) => !v)}> Reachability check simulate whether one machine can reach another
{open &&
{result && (result.allowed ? Allowed by rule #{result.ruleIndex + 1} : No rule allows this)} Default-deny: traffic is blocked unless an accept rule matches both source and destination. SSH is evaluated separately.
}
); } /* ---- recipes (beat the blank page) ---- */ const RECIPES = [ { label: "Everyone can use exit nodes", rule: { action: "accept", src: ["autogroup:member"], dst: ["autogroup:internet:*"] } }, { label: "Allow all internal traffic", rule: { action: "accept", src: ["*"], dst: ["*:*"] } }, { label: "Admins → everything", rule: { action: "accept", src: ["group:ops"], dst: ["*:*"] } }, { label: "Per-user device isolation (own devices only)", rule: { action: "accept", src: ["autogroup:member"], dst: ["autogroup:self:*"] } }, { label: "Engineers → dev servers", rule: { action: "accept", src: ["group:eng"], dst: ["tag:dev:*"] } }, { label: "Engineers → prod over HTTPS", rule: { action: "accept", src: ["group:eng"], dst: ["tag:prod:443"] } }, { label: "CI → database (Postgres)", rule: { action: "accept", src: ["tag:ci"], dst: ["tag:prod:5432"] } }, { label: "Web tier → DB tier (TCP 5432)", rule: { action: "accept", src: ["tag:edge"], dst: ["tag:prod:5432"], proto: "tcp" } }, { label: "K8s nodes intra-cluster", rule: { action: "accept", src: ["tag:k8s"], dst: ["tag:k8s:*"] } }, { label: "Reach an internal subnet (RFC1918)", rule: { action: "accept", src: ["group:eng"], dst: ["10.0.0.0/8:*"] } }, { label: "Allow ICMP ping everywhere", rule: { action: "accept", src: ["*"], dst: ["*:*"], proto: "icmp" } }, { label: "Lock down CI (prod HTTPS only)", rule: { action: "accept", src: ["tag:ci"], dst: ["tag:prod:443"] } }]; /* ============================================================ 1) RULES lens — the centerpiece sentence builder ============================================================ */ function RulesLens(props) { const { mode } = props; const s = useStore(); const readOnly = mode === "file"; const text = s.aclPolicy.text; const base = useMemo(() => ACLM.model(text), [text]); const syntaxErr = ACLM.parseErr(text); const [acls, setAcls] = useState(() => base ? clone(base.acls) : []); const [loadedAt] = useState(s.aclPolicy.updatedAt); useEffect(() => {if (base) setAcls(clone(base.acls));}, [text]); const ctx = { users: s.users, machines: s.machines, groups: base ? base.groups : {}, tagOwners: base ? base.tagOwners : {}, hosts: base ? base.hosts : {} }; const proposed = useMemo(() => base ? ACLM.writers.acls(text, { ...base, acls }) : text, [acls, text]); const dirty = base ? JSON.stringify(acls) !== JSON.stringify(base.acls) : false; const upd = (i, patch) => setAcls((a) => a.map((r, j) => j === i ? { ...r, ...patch } : r)); const addSrc = (i, tok) => upd(i, { src: [...acls[i].src, tok] }); const rmSrc = (i, tok) => upd(i, { src: acls[i].src.filter((x) => x !== tok) }); const addDst = (i, tok) => upd(i, { dst: [...acls[i].dst, tok] }); const rmDst = (i, tok) => upd(i, { dst: acls[i].dst.filter((x) => x !== tok) }); const setPorts = (i, di, ports) => upd(i, { dst: acls[i].dst.map((d, k) => k === di ? ACLM.joinDst(ACLM.splitDst(d).target, ports) : d) }); const addRule = (rule) => setAcls((a) => [...a, { action: "accept", src: [], dst: [], _extra: {}, representable: true, ...rule }]); const del = (i) => setAcls((a) => a.filter((_, j) => j !== i)); return ( r.src.length && r.dst.length)} syntaxErr={syntaxErr} proposedText={proposed} baseText={text} loadedAt={loadedAt} onRevert={() => setAcls(clone(base.acls))}> {base && <>
{acls.length === 0 &&

No rules — nothing is allowed

Default-deny is in effect. Add a rule or start from a recipe.
} {acls.map((r, i) => props.setTab("policy")} /> )} {!readOnly &&
Start from recipe}>
Insert a starter rule
{RECIPES.map((rc, k) => addRule(rc.rule)}>{rc.label})}
}
} ); } function RuleCard({ r, i, readOnly, base, ctx, addSrc, rmSrc, addDst, rmDst, setPorts, del, goRaw }) { if (!r.representable) { return (
Rule #{i + 1} advanced
Uses fields the visual builder can't represent ({Object.keys(r._extra).join(", ")}). Shown read-only to avoid data loss.
); } return (
Allow rule #{i + 1} {r.proto && proto: {r.proto}}
{!readOnly && } {!readOnly && }
{r.src.map((t) => rmSrc(i, t)} />)} {r.src.length === 0 && any source…} addSrc(i, t)} readOnly={readOnly} label="Source" />
to reach
{r.dst.map((d, di) => setPorts(i, di, p)} onRemove={() => rmDst(i, d)} />)} {r.dst.length === 0 && any destination…} addDst(i, t)} readOnly={readOnly} label="Destination" />
); } /* ============================================================ 2) SSH lens ============================================================ */ function SshLens(props) { const { mode } = props; const s = useStore(); const readOnly = mode === "file"; const text = s.aclPolicy.text; const base = useMemo(() => ACLM.model(text), [text]); const syntaxErr = ACLM.parseErr(text); const [rules, setRules] = useState(() => base ? clone(base.ssh) : []); const [loadedAt] = useState(s.aclPolicy.updatedAt); useEffect(() => {if (base) setRules(clone(base.ssh));}, [text]); const proposed = useMemo(() => base ? ACLM.writers.ssh(text, { ...base, ssh: rules }) : text, [rules, text]); const dirty = base ? JSON.stringify(rules) !== JSON.stringify(base.ssh) : false; const upd = (i, patch) => setRules((a) => a.map((r, j) => j === i ? { ...r, ...patch } : r)); const add = () => setRules((a) => [...a, { action: "accept", src: [], dst: [], users: ["autogroup:nonroot"], _extra: {}, representable: true }]); return ( r.src.length && r.dst.length && r.users.length)} syntaxErr={syntaxErr} proposedText={proposed} baseText={text} loadedAt={loadedAt} onRevert={() => setRules(clone(base.ssh))}> {base &&
{rules.length === 0 &&

No SSH rules

Tailscale SSH is denied by default. Add a rule to allow it.
} {rules.map((r, i) => r.representable ?
{!readOnly ?
: {r.action === "check" ? "Check" : "Allow"}} ssh #{i + 1} {r.action === "check" && re-auth every {r.checkPeriod || "12h"}}
{!readOnly && }
upd(i, { src: r.src.filter((x) => x !== t) })} picker={ upd(i, { src: [...r.src, t] })} readOnly={readOnly} label="Source" />} /> upd(i, { dst: r.dst.filter((x) => x !== t) })} picker={ upd(i, { dst: [...r.dst, t] })} readOnly={readOnly} label="Target" />} /> upd(i, { users: r.users.filter((x) => x !== t) })} picker={ upd(i, { users: [...r.users, t] })} readOnly={readOnly} label="Login" />} /> {r.action === "check" && !readOnly &&
Re-check every {r.checkPeriod || "12h"}}> {["1h", "12h", "24h", "168h"].map((p) => upd(i, { checkPeriod: p })}>{p})}
}
:
SSH rule #{i + 1} advanced
Has fields the builder can't represent ({Object.keys(r._extra).join(", ")}).
)} {!readOnly && } SSH rules are separate from network ACLs. Allow grants the session; Check grants it but forces periodic re-authentication (a security control). autogroup:nonroot blocks root logins.
} ); } function ChipRow({ label, items, onRemove, picker, readOnly, mono }) { const s = useStore(); return (
{label} {items.length === 0 && none…} {items.map((t) => { const u = !mono && s.users.find((x) => x.name + "@" === t); return {u && }{t} {!readOnly && onRemove(t)}>} ; })} {picker}
); } /* ============================================================ 3) TAG OWNERS lens ============================================================ */ function TagOwnersLens(props) { const { mode } = props; const s = useStore(); const readOnly = mode === "file"; const text = s.aclPolicy.text; const base = useMemo(() => ACLM.model(text), [text]); const syntaxErr = ACLM.parseErr(text); const [rows, setRows] = useState(() => base ? toKV(base.tagOwners) : []); const [loadedAt] = useState(s.aclPolicy.updatedAt); useEffect(() => {if (base) setRows(toKV(base.tagOwners));}, [text]); const obj = Object.fromEntries(rows.map((r) => [r.key, r.val])); const proposed = useMemo(() => base ? ACLM.writers.tagOwners(text, { ...base, tagOwners: obj }) : text, [rows, text]); const dirty = base ? JSON.stringify(obj) !== JSON.stringify(base.tagOwners) : false; const badKey = rows.some((r) => !/^tag:[a-z0-9-]+$/.test(r.key)) || rows.some((r, i) => rows.findIndex((x) => x.key === r.key) !== i); const upd = (i, patch) => setRows((rs) => rs.map((r, j) => j === i ? { ...r, ...patch } : r)); const addTag = () => {let n = 1,k;do {k = "tag:new" + (n > 1 ? n : "");n++;} while (rows.some((r) => r.key === k));setRows((rs) => [...rs, { key: k, val: [] }]);}; const tagCount = (t) => s.machines.filter((m) => (m.tags || []).includes(t)).length; return ( setRows(toKV(base.tagOwners))}> {base &&
{badKey && Tag names must be unique and match tag:[a-z0-9-].} {rows.map((r, i) => { const refs = ACLM.referencesOf(base, r.key); const live = tagCount(r.key); return (
{readOnly ? {r.key} : upd(i, { key: e.target.value.replace(/[^a-z0-9:-]/gi, "").toLowerCase() })} />} {live} machine{live !== 1 ? "s" : ""} tagged
{!readOnly && }
upd(i, { val: r.val.filter((x) => x !== t) })} picker={ upd(i, { val: [...r.val, t] })} readOnly={readOnly} label="Add owner" />} />
Owners decide who may apply {r.key} to a device. Owners can be users or groups.
); })} {!readOnly && } A tagged device is owned by its tags, not a user. Only listed owners may register a device with that tag (or set it later).
} ); } /* ============================================================ 4) HOSTS lens ============================================================ */ function HostsLens(props) { const { mode } = props; const s = useStore(); const readOnly = mode === "file"; const text = s.aclPolicy.text; const base = useMemo(() => ACLM.model(text), [text]); const syntaxErr = ACLM.parseErr(text); const [rows, setRows] = useState(() => base ? toKV2(base.hosts) : []); const [loadedAt] = useState(s.aclPolicy.updatedAt); useEffect(() => {if (base) setRows(toKV2(base.hosts));}, [text]); const obj = Object.fromEntries(rows.map((r) => [r.key, r.val])); const proposed = useMemo(() => base ? ACLM.writers.hosts(text, { ...base, hosts: obj }) : text, [rows, text]); const dirty = base ? JSON.stringify(obj) !== JSON.stringify(base.hosts) : false; const dupKey = rows.some((r, i) => r.key && rows.findIndex((x) => x.key === r.key) !== i); const badCidr = rows.some((r) => r.val && !ACLM.isCidrOrIp(r.val)); const upd = (i, patch) => setRows((rs) => rs.map((r, j) => j === i ? { ...r, ...patch } : r)); // overlap warning vs node IPs const nodeIps = new Set(s.machines.map((m) => m.ip4)); return ( r.key && r.val)} syntaxErr={syntaxErr} proposedText={proposed} baseText={text} loadedAt={loadedAt} onRevert={() => setRows(toKV2(base.hosts))}> {base &&
{rows.length === 0 && } {rows.map((r, i) => { const refs = ACLM.referencesOf(base, r.key); const overlap = r.val && [...nodeIps].some((ip) => r.val.split("/")[0] === ip); return ( ); })}
NameIP / CIDRUsed by

No host aliases

Name an IP/subnet so rules can read clearly, e.g. db-primary → 100.64.0.6.
{readOnly ? {r.key} : upd(i, { key: e.target.value.replace(/[^a-z0-9.-]/gi, "").toLowerCase() })} />}
{readOnly ? {r.val} : upd(i, { val: e.target.value })} />} {overlap && node IP}
{refs.length ? {refs.join(", ")} : } {!readOnly && }
{!readOnly &&
}
} ); } /* ============================================================ 5) AUTO-APPROVE lens ============================================================ */ function AutoApproveLens(props) { const { mode } = props; const s = useStore(); const readOnly = mode === "file"; const text = s.aclPolicy.text; const base = useMemo(() => ACLM.model(text), [text]); const syntaxErr = ACLM.parseErr(text); const [routes, setRoutes] = useState(() => base ? toKV(base.autoApprovers.routes) : []); const [exit, setExit] = useState(() => base ? clone(base.autoApprovers.exitNode) : []); const [loadedAt] = useState(s.aclPolicy.updatedAt); useEffect(() => {if (base) {setRoutes(toKV(base.autoApprovers.routes));setExit(clone(base.autoApprovers.exitNode));}}, [text]); const aa = { routes: Object.fromEntries(routes.map((r) => [r.key, r.val])), exitNode: exit }; const proposed = useMemo(() => base ? ACLM.writers.autoApprovers(text, { ...base, autoApprovers: aa }) : text, [routes, exit, text]); const dirty = base ? JSON.stringify(aa) !== JSON.stringify(base.autoApprovers) : false; const updR = (i, patch) => setRoutes((rs) => rs.map((r, j) => j === i ? { ...r, ...patch } : r)); return ( r.key)} syntaxErr={syntaxErr} proposedText={proposed} baseText={text} loadedAt={loadedAt} onRevert={() => {setRoutes(toKV(base.autoApprovers.routes));setExit(clone(base.autoApprovers.exitNode));}}> {base &&

Subnet routes

{routes.length === 0 && No auto-approved subnet routes.} {routes.map((r, i) =>
{readOnly ? {r.key} : updR(i, { key: e.target.value })} />} updR(i, { val: r.val.filter((x) => x !== t) })} picker={ updR(i, { val: [...r.val, t] })} readOnly={readOnly} label="Approver" />} /> {!readOnly && }
)} {!readOnly && }
When a node carrying one of these approver tags/groups advertises the prefix, it's approved without a manual click.

Exit nodes

setExit(exit.filter((x) => x !== t))} picker={ setExit([...exit, t])} readOnly={readOnly} label="Approver" />} />
These nodes' exit-node advertisements (0.0.0.0/0, ::/0) are approved automatically.
} ); } /* ---- small shared bits ---- */ function ReverseIndex({ refs, empty }) { return (
{refs.length === 0 ? {empty} :
Referenced by{refs.map((rf, k) => {rf})}
}
); } function InfoNote({ children }) { return
{children}
; } function clone(x) {return JSON.parse(JSON.stringify(x));} function toKV(obj) {return Object.entries(obj || {}).map(([key, val]) => ({ key, val: (val || []).slice() }));} function toKV2(obj) {return Object.entries(obj || {}).map(([key, val]) => ({ key, val }));} Object.assign(window, { RulesLens, SshLens, TagOwnersLens, HostsLens, AutoApproveLens, LensShell, TokenChip, DstChip, TokenPicker, ResolverLine, Reachability, RuleCard, ChipRow, ReverseIndex, InfoNote });