feat(server): embed admin UI in binary; fix Tailscale auth and systemd install

- Embed ui/build into the axon-server binary via rust-embed; UI is
  always available at /ui without --ui-dir (kept as dev-time override)
- Add root / → /ui redirect (falls back to /health when no UI)
- Fix Tailscale whois auth: tailscaled returns 404 (not 422) for
  non-tailnet peers on current versions; map both to Unauthorized
- Fix axon service install: separate systemd unit templates for user
  and global installs (WantedBy=multi-user.target, User=axon/Group=axon
  for global); add create_axon_system_user() and /var/lib/axon setup
- Replace deprecated launchctl load/unload with bootstrap/bootout
- Add StandardOutput/StandardError=journal to both unit templates
- Replace disk-based UI gateway tests with embedded UI tests

Verification: cargo check --workspace, cargo test -p axon-server --lib

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: easel

Cargo.toml

@@ -119,6 +119,10 @@ humantime = "2"
 dirs = "6"
 toml = "0.8"
 
+# Embedded assets
+rust-embed = "8"
+mime_guess = "2"
+
 # Testing
 pretty_assertions = "1"
 tempfile = "3"

crates/axon-cli/src/service.rs

@@ -56,7 +56,9 @@ fn uninstall_service() -> Result<()> {
 
 // ── systemd (Linux) ──────────────────────────────────────────────────────────
 
-const SYSTEMD_UNIT_TEMPLATE: &str = "\
+/// User service (~/.config/systemd/user/axon.service).
+/// Runs as the invoking user; `WantedBy=default.target` is correct here.
+const SYSTEMD_USER_UNIT: &str = "\
 [Unit]
 Description=Axon Data Store
 After=network.target
@@ -66,11 +68,36 @@ Type=simple
 ExecStart={binary_path} serve
 Restart=on-failure
 RestartSec=5
+StandardOutput=journal
+StandardError=journal
 
 [Install]
 WantedBy=default.target
 ";
 
+/// System service (/etc/systemd/system/axon.service).
+/// Runs as the `axon` system user; `WantedBy=multi-user.target` is standard for
+/// non-graphical daemons.  The user and data directory must be created separately
+/// (see `create_axon_system_user`).
+const SYSTEMD_GLOBAL_UNIT: &str = "\
+[Unit]
+Description=Axon Data Store
+After=network.target
+
+[Service]
+Type=simple
+User=axon
+Group=axon
+ExecStart={binary_path} serve
+Restart=on-failure
+RestartSec=5
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target
+";
+
 fn systemd_unit_path(global: bool) -> Result<PathBuf> {
     if global {
         Ok(PathBuf::from("/etc/systemd/system/axon.service"))
@@ -84,9 +111,46 @@ fn systemd_unit_path(global: bool) -> Result<PathBuf> {
     }
 }
 
+fn create_axon_system_user() -> Result<()> {
+    // Check whether the `axon` system user already exists.
+    let exists = Command::new("id")
+        .arg("axon")
+        .status()
+        .context("failed to run `id axon`")?
+        .success();
+
+    if !exists {
+        run_cmd(
+            "useradd",
+            &[
+                "--system",
+                "--no-create-home",
+                "--home-dir",
+                "/var/lib/axon",
+                "--shell",
+                "/usr/sbin/nologin",
+                "--comment",
+                "Axon Data Store",
+                "axon",
+            ],
+        )
+        .context("failed to create `axon` system user")?;
+        println!("created system user `axon`");
+    }
+
+    // Ensure the data directory exists and is owned by axon.
+    std::fs::create_dir_all("/var/lib/axon")
+        .context("failed to create /var/lib/axon")?;
+    run_cmd("chown", &["axon:axon", "/var/lib/axon"])
+        .context("failed to chown /var/lib/axon")?;
+    println!("data directory: /var/lib/axon");
+    Ok(())
+}
+
 fn install_systemd(bin: &std::path::Path, global: bool) -> Result<()> {
     let unit_path = systemd_unit_path(global)?;
-    let unit_content = SYSTEMD_UNIT_TEMPLATE.replace("{binary_path}", &bin.display().to_string());
+    let template = if global { SYSTEMD_GLOBAL_UNIT } else { SYSTEMD_USER_UNIT };
+    let unit_content = template.replace("{binary_path}", &bin.display().to_string());
 
     if let Some(parent) = unit_path.parent() {
         std::fs::create_dir_all(parent)
@@ -97,6 +161,7 @@ fn install_systemd(bin: &std::path::Path, global: bool) -> Result<()> {
     println!("wrote {}", unit_path.display());
 
     if global {
+        create_axon_system_user()?;
         run_cmd("systemctl", &["daemon-reload"])?;
         run_cmd("systemctl", &["enable", "axon"])?;
         println!("enabled axon.service (system)");
@@ -156,6 +221,16 @@ const LAUNCHD_PLIST_TEMPLATE: &str = r#"<?xml version="1.0" encoding="UTF-8"?>
 
 const LAUNCHD_LABEL: &str = "com.axon.server";
 
+/// Returns `gui/<uid>` — the launchctl domain for the current user's GUI session.
+fn launchd_user_domain() -> Result<String> {
+    let out = Command::new("id")
+        .arg("-u")
+        .output()
+        .context("failed to run `id -u`")?;
+    let uid = String::from_utf8_lossy(&out.stdout).trim().to_string();
+    Ok(format!("gui/{uid}"))
+}
+
 fn launchd_plist_path(global: bool) -> Result<PathBuf> {
     if global {
         Ok(PathBuf::from(
@@ -182,7 +257,17 @@ fn install_launchd(bin: &std::path::Path, global: bool) -> Result<()> {
         .with_context(|| format!("failed to write {}", plist_path.display()))?;
     println!("wrote {}", plist_path.display());
 
-    run_cmd("launchctl", &["load", &plist_path.display().to_string()])?;
+    // `launchctl load` is deprecated; use `bootstrap` on macOS 10.15+.
+    // For user agents: bootstrap gui/<uid>; for system daemons: bootstrap system.
+    if global {
+        run_cmd("launchctl", &["bootstrap", "system", &plist_path.display().to_string()])?;
+    } else {
+        let domain = launchd_user_domain()?;
+        run_cmd(
+            "launchctl",
+            &["bootstrap", &domain, &plist_path.display().to_string()],
+        )?;
+    }
     println!("loaded {LAUNCHD_LABEL}");
     Ok(())
 }
@@ -191,15 +276,16 @@ fn uninstall_launchd() -> Result<()> {
     let user_path = launchd_plist_path(false)?;
     let global_path = launchd_plist_path(true)?;
 
-    let plist_path = if user_path.exists() {
-        user_path
+    let (plist_path, domain) = if user_path.exists() {
+        (user_path, launchd_user_domain()?)
     } else if global_path.exists() {
-        global_path
+        (global_path, "system".to_string())
     } else {
         anyhow::bail!("no axon launchd plist found");
     };
 
-    let _ = run_cmd("launchctl", &["unload", &plist_path.display().to_string()]);
+    // `launchctl unload` is deprecated; use `bootout`.
+    let _ = run_cmd("launchctl", &["bootout", &domain, &plist_path.display().to_string()]);
     std::fs::remove_file(&plist_path)
         .with_context(|| format!("failed to remove {}", plist_path.display()))?;
     println!("removed {}", plist_path.display());

crates/axon-server/Cargo.toml

@@ -42,6 +42,8 @@ tokio-stream.workspace = true
 uuid.workspace = true
 humantime.workspace = true
 rusqlite.workspace = true
+rust-embed.workspace = true
+mime_guess.workspace = true
 
 [package.metadata.cargo-machete]
 ignored = ["prost"]

crates/axon-server/src/auth.rs

@@ -304,7 +304,12 @@ impl LocalApiWhoisProvider {
                 AuthError::ProviderUnavailable(format!("body aggregation failed: {e}"))
             })?;
             Ok(hyper::body::Bytes::from(buf))
-        } else if status == http::StatusCode::UNPROCESSABLE_ENTITY {
+        } else if status == http::StatusCode::NOT_FOUND
+            || status == http::StatusCode::UNPROCESSABLE_ENTITY
+        {
+            // 404: address not known to this tailnet (observed on Tailscale ≥ 1.x).
+            // 422: legacy "unprocessable entity" returned by older daemon versions.
+            // Both mean the peer is not a tailnet member — not a provider fault.
             Err(AuthError::Unauthorized(
                 "peer is not a recognized tailnet address".into(),
             ))

crates/axon-server/src/embedded_ui.rs

@@ -0,0 +1,65 @@
+//! Embedded admin UI — assets from `ui/build` compiled into the binary.
+//!
+//! The `UiAssets` struct embeds every file under `ui/build` at compile time.
+//! The axum handler serves them at `/ui/*path` with correct `Content-Type`
+//! headers, and falls back to `index.html` for any unrecognised path so that
+//! SvelteKit client-side routing works correctly.
+//!
+//! **Build prerequisite**: `ui/build` must exist before `cargo build`.
+//! Run `cd ui && bun run build` (or `npm run build`) first.
+
+use axum::body::Body;
+use axum::http::{header, StatusCode, Uri};
+use axum::response::{IntoResponse, Response};
+use rust_embed::RustEmbed;
+
+/// All files under `ui/build`, embedded at compile time.
+///
+/// The `#[folder]` path is relative to the crate root (`crates/axon-server/`),
+/// so `../../ui/build` resolves to `ui/build` in the workspace root.
+#[derive(RustEmbed)]
+#[folder = "../../ui/build"]
+struct UiAssets;
+
+/// Axum handler for `GET /ui` and `GET /ui/*path`.
+///
+/// Strips the `/ui` prefix, looks up the file in [`UiAssets`], and responds
+/// with the correct `Content-Type`.  Unknown paths fall back to `index.html`
+/// so SvelteKit's client-side router can handle them.
+pub async fn embedded_ui_handler(uri: Uri) -> Response {
+    let raw = uri.path();
+    // Strip the /ui prefix that axum leaves on the URI when not using nest_service.
+    let asset_path = raw
+        .strip_prefix("/ui/")
+        .or_else(|| raw.strip_prefix("/ui"))
+        .unwrap_or(raw);
+    let asset_path = if asset_path.is_empty() {
+        "index.html"
+    } else {
+        asset_path
+    };
+
+    serve_asset(asset_path)
+}
+
+fn serve_asset(path: &str) -> Response {
+    match UiAssets::get(path) {
+        Some(content) => {
+            let mime = mime_guess::from_path(path).first_or_octet_stream();
+            Response::builder()
+                .header(header::CONTENT_TYPE, mime.as_ref())
+                .body(Body::from(content.data))
+                .unwrap_or_else(|_| StatusCode::INTERNAL_SERVER_ERROR.into_response())
+        }
+        None => {
+            // SPA fallback: let the client-side router handle unknown paths.
+            match UiAssets::get("index.html") {
+                Some(index) => Response::builder()
+                    .header(header::CONTENT_TYPE, "text/html; charset=utf-8")
+                    .body(Body::from(index.data))
+                    .unwrap_or_else(|_| StatusCode::INTERNAL_SERVER_ERROR.into_response()),
+                None => StatusCode::NOT_FOUND.into_response(),
+            }
+        }
+    }
+}

crates/axon-server/src/gateway.rs

@@ -2230,13 +2230,20 @@ pub fn build_router_with_auth(
         );
 
     router = router
+        .route("/", get(|| async { axum::response::Redirect::temporary("/ui") }))
         .route("/auth/me", get(auth_me))
         .route("/graphql/playground", get(graphql_playground_handler));
 
+    // UI: disk directory overrides the embedded build (useful during development).
+    // When --ui-dir is not set, serve the UI compiled into the binary.
     if let Some(ui_dir) = ui_dir {
         let index_path = ui_dir.join("index.html");
         let ui_service = get_service(ServeDir::new(ui_dir).fallback(ServeFile::new(index_path)));
         router = router.nest_service("/ui", ui_service);
+    } else {
+        router = router
+            .route("/ui", get(crate::embedded_ui::embedded_ui_handler))
+            .route("/ui/{*path}", get(crate::embedded_ui::embedded_ui_handler));
     }
 
     if let Some(cp) = control_plane {
@@ -4207,54 +4214,70 @@ mod tests {
             .any(|collection| collection == "tasks"));
     }
 
-    #[tokio::test]
-    async fn http_serves_ui_assets_under_ui_prefix() {
-        let dir = tempfile::tempdir().unwrap();
-        std::fs::write(
-            dir.path().join("index.html"),
-            "<html><body>Axon UI</body></html>",
-        )
-        .unwrap();
-        std::fs::create_dir_all(dir.path().join("_app")).unwrap();
-        std::fs::write(dir.path().join("_app/app.js"), "console.log('ui');").unwrap();
-
-        let storage: Box<dyn StorageAdapter + Send + Sync> = Box::new(
-            SqliteStorageAdapter::open_in_memory().expect("in-memory SQLite should open"),
-        );
-        let handler: TenantHandler = Arc::new(Mutex::new(AxonHandler::new(storage)));
-        let tenant_router = Arc::new(TenantRouter::single(handler));
-        let app = build_router(tenant_router, "memory", Some(dir.path().to_path_buf()));
-        let server = TestServer::new(app);
-
-        let index = server.get("/ui").await;
-        index.assert_status_ok();
-        assert!(index.text().contains("Axon UI"));
+    // ── Embedded UI tests ─────────────────────────────────────────────────────
+    // These tests exercise the embedded-UI path (ui_dir = None), which is the
+    // default when axon is run without --ui-dir.  They rely on the real
+    // ui/build assets compiled into the binary via rust-embed.
 
-        let asset = server.get("/ui/_app/app.js").await;
-        asset.assert_status_ok();
-        assert!(asset.text().contains("console.log"));
+    #[tokio::test]
+    async fn http_root_redirects_to_ui() {
+        let server = test_server();
+        let resp = server.get("/").await;
+        resp.assert_status(StatusCode::TEMPORARY_REDIRECT);
+        let location = resp
+            .headers()
+            .get(header::LOCATION)
+            .and_then(|v| v.to_str().ok())
+            .unwrap_or("");
+        assert!(location.ends_with("/ui"), "expected redirect to /ui, got: {location}");
     }
 
     #[tokio::test]
-    async fn http_ui_nested_routes_fallback_to_index_html() {
-        let dir = tempfile::tempdir().unwrap();
-        std::fs::write(
-            dir.path().join("index.html"),
-            "<html><body>Axon UI Shell</body></html>",
-        )
-        .unwrap();
+    async fn http_embedded_ui_index_returns_html() {
+        let server = test_server();
+        let resp = server.get("/ui").await;
+        resp.assert_status_ok();
+        let ct = resp
+            .headers()
+            .get(header::CONTENT_TYPE)
+            .and_then(|v| v.to_str().ok())
+            .unwrap_or("");
+        assert!(ct.starts_with("text/html"), "expected text/html, got: {ct}");
+        // SvelteKit's static build always starts with <!DOCTYPE html>
+        assert!(resp.text().starts_with("<!DOCTYPE html"), "expected HTML document");
+    }
 
-        let storage: Box<dyn StorageAdapter + Send + Sync> = Box::new(
-            SqliteStorageAdapter::open_in_memory().expect("in-memory SQLite should open"),
+    #[tokio::test]
+    async fn http_embedded_ui_static_asset_served_with_correct_content_type() {
+        // _app/env.js is a stable filename generated by SvelteKit.
+        let server = test_server();
+        let resp = server.get("/ui/_app/env.js").await;
+        resp.assert_status_ok();
+        let ct = resp
+            .headers()
+            .get(header::CONTENT_TYPE)
+            .and_then(|v| v.to_str().ok())
+            .unwrap_or("");
+        assert!(
+            ct.starts_with("application/javascript") || ct.starts_with("text/javascript"),
+            "expected JS content-type, got: {ct}"
         );
-        let handler: TenantHandler = Arc::new(Mutex::new(AxonHandler::new(storage)));
-        let tenant_router = Arc::new(TenantRouter::single(handler));
-        let app = build_router(tenant_router, "memory", Some(dir.path().to_path_buf()));
-        let server = TestServer::new(app);
+    }
 
-        let resp = server.get("/ui/collections/tasks").await;
+    #[tokio::test]
+    async fn http_embedded_ui_unknown_path_falls_back_to_index_html() {
+        // Unrecognised paths must return index.html so SvelteKit's client-side
+        // router can handle them without a hard 404.
+        let server = test_server();
+        let resp = server.get("/ui/some/deep/spa/route").await;
         resp.assert_status_ok();
-        assert!(resp.text().contains("Axon UI Shell"));
+        let ct = resp
+            .headers()
+            .get(header::CONTENT_TYPE)
+            .and_then(|v| v.to_str().ok())
+            .unwrap_or("");
+        assert!(ct.starts_with("text/html"), "fallback must be HTML, got: {ct}");
+        assert!(resp.text().starts_with("<!DOCTYPE html"), "expected index.html fallback");
     }
 
     #[tokio::test]