Mount web UI under /ui

README.md

@@ -819,16 +819,16 @@ Response:
 
 ## Web Interface
 
-The proxy serves a web UI at the root URL. No separate frontend build is needed -- templates and assets are embedded in the binary.
+The proxy serves a web UI under `/ui`. No separate frontend build is needed -- templates and assets are embedded in the binary. `GET /` redirects to `/ui/`. The UI is mounted under its own prefix so a reverse proxy can apply different access rules to it than to the package endpoints (for example, requiring auth for `PathPrefix(/ui)` while leaving `/npm`, `/pypi` etc. open to build machines).
 
-- **Dashboard** (`/`) -- cache stats, popular packages, recently cached artifacts, and vulnerability overview.
-- **Install guide** (`/install`) -- per-ecosystem configuration instructions, so you don't have to look them up here.
-- **Package browser** (`/packages`) -- browse all cached packages with filtering by ecosystem and sorting by hits, size, name, or vulnerability count.
-- **Search** (`/search?q=...`) -- search cached packages by name.
-- **Package detail** (`/package/{ecosystem}/{name}`) -- metadata, license, vulnerabilities, and version list for a package. You can select two versions to compare.
-- **Version detail** (`/package/{ecosystem}/{name}/{version}`) -- per-version metadata, integrity hash, artifact cache status, and hit counts.
-- **Source browser** (`/package/{ecosystem}/{name}/{version}/browse`) -- browse files inside cached archives with syntax highlighting for text files and image previews.
-- **Version diff** (`/package/{ecosystem}/{name}/compare/{v1}...{v2}`) -- side-by-side diff of two cached versions showing added, removed, and changed files.
+- **Dashboard** (`/ui/`) -- cache stats, popular packages, recently cached artifacts, and vulnerability overview.
+- **Install guide** (`/ui/install`) -- per-ecosystem configuration instructions, so you don't have to look them up here.
+- **Package browser** (`/ui/packages`) -- browse all cached packages with filtering by ecosystem and sorting by hits, size, name, or vulnerability count.
+- **Search** (`/ui/search?q=...`) -- search cached packages by name.
+- **Package detail** (`/ui/package/{ecosystem}/{name}`) -- metadata, license, vulnerabilities, and version list for a package. You can select two versions to compare.
+- **Version detail** (`/ui/package/{ecosystem}/{name}/{version}`) -- per-version metadata, integrity hash, artifact cache status, and hit counts.
+- **Source browser** (`/ui/package/{ecosystem}/{name}/{version}/browse`) -- browse files inside cached archives with syntax highlighting for text files and image previews.
+- **Version diff** (`/ui/package/{ecosystem}/{name}/compare/{v1}...{v2}`) -- side-by-side diff of two cached versions showing added, removed, and changed files.
 
 ## Monitoring
 
@@ -950,6 +950,33 @@ server {
 }
 ```
 
+The UI is mounted under `/ui` so you can apply different access rules to it than to the package endpoints — for example, require auth for humans browsing the UI while leaving `/npm`, `/pypi`, and other package endpoints open to unauthenticated build machines:
+
+```nginx
+server {
+    listen 443 ssl;
+    server_name proxy.example.com;
+
+    # Web UI — require auth
+    location /ui/ {
+        auth_basic "git-pkgs proxy";
+        auth_basic_user_file /etc/nginx/.htpasswd;
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_buffering off;
+    }
+
+    # Package endpoints — open to build machines
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_buffering off;
+    }
+}
+```
+
 ## Cache Management
 
 The proxy stores artifacts in the configured storage directory with this structure:

docs/architecture.md

@@ -15,7 +15,7 @@ The proxy is a caching HTTP server that sits between package manager clients and
 │  │  /cargo/*   -> CargoHandler    /stats   -> statsHandler   │    │
 │  │  /gem/*     -> GemHandler      /metrics -> prometheus     │    │
 │  │  ...17 ecosystems              /api/*   -> APIHandler     │    │
-│  │                                /        -> Web UI         │    │
+│  │                                /ui/*    -> Web UI         │    │
 │  └──────────────────────────────────────────────────────────┘    │
 │         │                    │                    │               │
 │         ▼                    ▼                    ▼               │
@@ -274,7 +274,7 @@ HTTP server setup, web UI, and API handlers.
 - Creates and wires together all components
 - Mounts protocol handlers at ecosystem-specific paths
 - Middleware: request ID, real IP, logging, panic recovery, active request tracking
-- Web UI: dashboard, package browser, source browser, version comparison
+- Web UI under `/ui`: dashboard, package browser, source browser, version comparison
 - Templates are embedded in the binary via `//go:embed`
 - Enrichment API for package metadata, vulnerability scanning, and outdated detection
 - Health, stats, and Prometheus metrics endpoints. `/health` runs an active write → size-check → read → verify → delete probe against the storage backend and returns a structured JSON response (`HealthResponse`) with `"ok"` / `"error"` status per subsystem. Probe results are cached (default 30 s, configurable via `health.storage_probe_interval`) to avoid overwhelming remote backends.