Gateway: add browser control UI

docs/control-ui.md

@@ -0,0 +1,51 @@
+---
+summary: "Browser-based control UI for the Gateway (chat, nodes, config)"
+read_when:
+  - You want to operate the Gateway from a browser
+  - You want Tailnet access without SSH tunnels
+---
+# Control UI (browser)
+
+The Control UI is a small **Vite + Lit** single-page app served by the Gateway under:
+
+- `http://<host>:18789/ui/`
+
+It speaks **directly to the Gateway WebSocket** on the same port.
+
+## What it can do (today)
+- Chat with the model via Gateway WS (`chat.history`, `chat.send`, `chat.abort`)
+- List nodes via Gateway WS (`node.list`)
+- View/edit `~/.clawdis/clawdis.json` via Gateway WS (`config.get`, `config.set`)
+
+## Tailnet access (recommended)
+
+Expose the Gateway on your Tailscale interface and require a token:
+
+```bash
+clawdis gateway --bind tailnet --token "$(openssl rand -hex 32)"
+```
+
+Then open:
+
+- `http://<tailscale-ip>:18789/ui/`
+
+Paste the token into the UI settings (it’s sent as `connect.params.auth.token`).
+
+## Building the UI
+
+The Gateway serves static files from `dist/control-ui`. Build them with:
+
+```bash
+pnpm ui:install
+pnpm ui:build
+```
+
+For local development (separate dev server):
+
+```bash
+pnpm ui:install
+pnpm ui:dev
+```
+
+Then point the UI at your Gateway WS URL (e.g. `ws://127.0.0.1:18789`).
+

docs/index.md

@@ -50,7 +50,8 @@ Most operations flow through the **Gateway** (`clawdis gateway`), a single long-
 ## Network model
 
 - **One Gateway per host**: it is the only process allowed to own the WhatsApp Web session.
-- **Loopback-first**: Gateway WS is `ws://127.0.0.1:18789` (not exposed on the LAN).
+- **Loopback-first**: Gateway WS defaults to `ws://127.0.0.1:18789`.
+  - For Tailnet access, run `clawdis gateway --bind tailnet --token ...` (token is required for non-loopback binds).
 - **Bridge for nodes**: optional LAN/tailnet-facing bridge on `tcp://0.0.0.0:18790` for paired nodes (Bonjour-discoverable).
 - **Canvas host**: LAN/tailnet HTTP file server (default `18793`) for node WebViews; see `docs/configuration.md` (`canvasHost`).
 - **Remote use**: SSH tunnel or tailnet/VPN; see `docs/remote.md` and `docs/discovery.md`.
@@ -117,10 +118,12 @@ Example:
   - [Clawd personal assistant setup](./clawd.md)
   - [AGENTS.md template (default)](./AGENTS.default.md)
   - [Gateway runbook](./gateway.md)
+  - [Web surfaces (Control UI)](./web.md)
   - [Discovery + transports](./discovery.md)
   - [Remote access](./remote.md)
 - Providers and UX:
   - [WebChat](./webchat.md)
+  - [Control UI (browser)](./control-ui.md)
   - [Telegram](./telegram.md)
   - [Group messages](./group-messages.md)
   - [Media: images](./images.md)

docs/web.md

@@ -0,0 +1,75 @@
+---
+summary: "Gateway web surfaces: Control UI, bind modes, and security"
+read_when:
+  - You want to access the Gateway over Tailscale
+  - You want the browser Control UI and config editing
+---
+# Web (Gateway)
+
+The Gateway serves a small **browser Control UI** (Vite + Lit) from the same port as the Gateway WebSocket:
+
+- `http://<host>:18789/ui/`
+
+The UI talks directly to the Gateway WS and supports:
+- Chat (`chat.history`, `chat.send`, `chat.abort`)
+- Nodes (`node.list`, `node.describe`, `node.invoke`)
+- Config (`config.get`, `config.set`) for `~/.clawdis/clawdis.json`
+
+## Config (default-on)
+
+The Control UI is **enabled by default** when assets are present (`dist/control-ui`).
+You can control it via config:
+
+```json5
+{
+  gateway: {
+    controlUi: { enabled: true } // set false to disable /ui/
+  }
+}
+```
+
+## Tailnet access
+
+To access the UI across Tailscale, bind the Gateway to the Tailnet interface and require a token.
+
+### Via config (recommended)
+
+```json5
+{
+  gateway: {
+    bind: "tailnet",
+    controlUi: { enabled: true }
+  }
+}
+```
+
+Then start the gateway (token required for non-loopback binds):
+
+```bash
+export CLAWDIS_GATEWAY_TOKEN="…your token…"
+clawdis gateway
+```
+
+Open:
+- `http://<tailscale-ip>:18789/ui/`
+
+### Via CLI (one-off)
+
+```bash
+clawdis gateway --bind tailnet --token "…your token…"
+```
+
+## Security notes
+
+- Binding the Gateway to a non-loopback address **requires** `CLAWDIS_GATEWAY_TOKEN`.
+- The token is sent as `connect.params.auth.token` by the UI and other clients.
+
+## Building the UI
+
+The Gateway serves static files from `dist/control-ui`. Build them with:
+
+```bash
+pnpm ui:install
+pnpm ui:build
+```
+