Merge pull request #39 from viruslox/update-docs-architecture-config-templates-3251558865566657047

docs: update architecture, readme, and config templates to reflect refactoring

Author: viruslox

ARCHITECTURE.md

@@ -33,7 +33,21 @@ The project has been refactored from a monolithic bash structure into a compiled
 
 1. **`VLX_FrameFlow` (The Client):** Exclusively deployed on Single Board Computers (like Orange Pi 5 Plus or Radxa Rock 5T). Responsible for hardware interactions: capturing video via v4l2, managing hostapd/networkd, and gathering GPS data. It serves the mTLS-protected API.
 2. **`VLX_FrameFlow_SRV` (The Server):** Exclusively deployed on a Virtual Private Server (VPS). Lightweight, focusing strictly on relaying traffic, receiving bonded connections, and enforcing UFW firewall rules.
-3. **`vlx_frontend` (The UI):** A standalone web server encapsulating a pre-built Svelte SPA (`//go:embed`). Designed to run remotely on an operator's machine or in the cloud to manage the Field Unit via secure APIs.
+3. **`vlx_frontend` (The UI):** A standalone web server encapsulating a pre-built Svelte SPA (`//go:embed`). Designed to run remotely on an operator's machine or in the cloud to manage the Field Unit via secure APIs. The frontend utilizes parallel REST polling (`Promise.all`) to dynamically fetch backend state, features a semantic parser for translating systemd string statuses (e.g., 'active', 'inactive', 'failed'), organizes UI components via CSS Grid layout, and streams text console output utilizing an `ansi-to-html` converter for colorized logs.
+
+## API Framework & Routing
+
+The core API has transitioned to utilizing the highly performant `Gin` framework (`github.com/gin-gonic/gin`). HTTP routes are registered using native Gin handler signatures (`func(c *gin.Context)`) rather than wrapping standard `http.HandlerFunc` components. Global CORS middleware handles OPTIONS requests automatically.
+
+### Operational Endpoints
+
+The unprivileged user interacts with the backend components via a standardized REST API structured primarily as `/api/v1/<module>/{start,stop,status,reset}`. Key operational endpoints include:
+
+- **`/api/v1/client/reset`**: Initiates a full reset of client networking and bonding.
+- **`/api/v1/gps/start` \| `stop` \| `status`**: Manages the transient systemd user unit for the GPS telemetry process.
+- **`/api/v1/mediamtx/start` \| `stop` \| `status`**: Controls the local MediaMTX static user service.
+- **`/api/v1/cameraman/start` \| `stop` \| `status`**: Orchestrates FFmpeg encoding pipelines directly to the MediaMTX API.
+- **`/api/v1/ap/start` \| `stop` \| `status`**: Triggers internal privilege escalation to manipulate `hostapd` and network interfaces.
 
 ## Unified Configuration Paradigm
 
@@ -65,11 +79,23 @@ To secure the connection between the remote `vlx_frontend` and the SBC's `VLX_Fr
 
 ### "Build as User, Run as Root"
 
-To maintain security and FHS compliance, the suite enforces a strict compilation and deployment workflow:
+The suite enforces a strict dichotomy between Client and Server roles regarding execution privilege and systemd architecture:
+
 1.  **Build:** Unprivileged compilation via `build.sh`.
 2.  **Install:** Executing the compiled binary as root triggers `internal/sysutils.InstallBinary()`.
 3.  **Deploy:** The binaries place themselves into `/opt/VLX_FrameFlow/bin/` and configure templates in `/opt/VLX_FrameFlow/etc/`.
-4.  **Run:** Background services execute as the dedicated, unprivileged `$FRAMEFLOW_USER` via `systemd --user` units to limit the blast radius.
+4.  **Run (CLIENT):** On the SBC/Field Unit, background services must strictly execute as the dedicated, unprivileged `$FRAMEFLOW_USER`. Systemd management uses User-Space Systemd (`systemctl --user`). Unit files are generated in `~/.config/systemd/user/` and explicitly target `default.target`. **Important:** Systemd Lingering (`loginctl enable-linger`) must be enabled by root during initial setup to allow background execution without an active SSH session.
+5.  **Run (SERVER):** On the VPS/Relay Node, the main daemon strictly requires `root` execution (UID 0) to orchestrate routing and UFW firewall rules. Systemd management uses System-Space Systemd (`/etc/systemd/system/`) and targets `multi-user.target`. To maintain security, the server relies on **Privilege Dropping** (`User=`, `Group=`) inside the unit templates for specific exposed services (like MediaMTX) to minimize the blast radius.
+
+### AP Module Privilege Escalation Pattern
+
+The Access Point (AP) module within the Client architecture necessitates modifying system-level network configurations (`hostapd`, `systemd-networkd`, `systemd-resolved`) which requires root access. However, the Client CLI operates as an unprivileged user.
+
+To bridge this gap securely, the suite implements a strict internal privilege escalation pattern:
+- Unprivileged CLI commands wrap themselves in `sudo` to call hidden internal operations (e.g., `_ap_system_ops`).
+- These hidden operations are protected by absolute root guards (`if os.Geteuid() != 0 { log.Fatal(...) }`).
+- Once inside the root context, functions executing system commands (like restarting services via `sysutils.RunCommand`) do not redundantly include `sudo`.
+
 
 
 ### Server API Command Forwarding
@@ -88,6 +114,23 @@ The dual-protocol nature ensures network reliability without cross-contamination
 - **Shadowsocks (via MPTCP):** Handles all bonded outbound TCP internet traffic. This is used by the Client to reach the broader internet transparently via the proxy.
 - **MLVPN (UDP):** Handles the high-bandwidth SRT streams and the secure, bidirectional internal telemetry and API command routing between the Server (`10.1.10.1`) and Client (`10.1.10.2`).
 
+## Module-Specific Behaviors
+
+The system implements several highly specific optimizations and fail-safes per module:
+
+### Cameraman
+- **Strict URL Parsing:** Incorporates robust `net/url` parsing logic to validate SRT stream IDs.
+- **Fallback Format Selection:** Employs a linear absolute-difference algorithm against user-defined maximums (`CAM_MAX_RESOLUTION`, `CAM_MAX_FPS`) to intelligently select fallback video formats (preferring H.264 copy, then MJPEG, then YUYV) when exact formats are unavailable.
+- **SQLite Concurrency:** The backend SQLite database (`modernc.org/sqlite`) is configured with `_pragma=journal_mode(WAL)` and `_pragma=busy_timeout(5000)` in its DSN to inherently prevent 'database is locked' boot race conditions during concurrent module initialization.
+
+### GPS Telemetry
+- **Socket Draining:** Implements a non-blocking TCP socket drain pattern against `gpsd` to prevent TCP buffer desynchronization and data lag typical of high-frequency positioning data.
+- **Rate Limiting:** Enforces a strict 5-second rate limit on HTTP POST transmissions to external endpoints.
+- **Transient Cleanup:** Actively manages transient systemd units, executing `systemctl --user reset-failed` during cleanup to prevent unit name conflicts.
+
+### MediaMTX & Bonding (v2ray)
+- **Dynamic Architecture Resolution:** During initialization and updates, the system dynamically checks `runtime.GOARCH` to resolve and download correct asset architectures. This strictly prevents "Exec format error" failures when deploying across heterogeneous ARM and x86_64 fleets.
+
 ## Filesystem Structure
 
 Following Linux File Hierarchy Standard (FHS) best practices, the global installation path is centralized:

README.md

@@ -16,6 +16,13 @@ VLX FrameFlow is a modular Go-based suite designed to transform Debian-based **S
 
 The suite operates via a main installation entry point compiled into a Go binary, internal Go packages, and runtime service managers. Process control is handled via **`systemd`**.
 
+### Execution Privilege & Systemd Architecture
+
+The system enforces a strict operational dichotomy based on the deployed role:
+
+- **CLIENT (SBC/Field Unit):** Strictly operates as an unprivileged dedicated user (`frameflow_user`). Systemd management utilizes User-Space Systemd (`systemctl --user`), stores unit files in `~/.config/systemd/user/`, and explicitly targets `default.target`. Systemd Lingering must be enabled by root during installation.
+- **SERVER (VPS/Relay Node):** Strictly requires `root` execution (UID 0) to manage routing and firewall rules. Systemd management utilizes System-Space Systemd (`/etc/systemd/system/`) and targets `multi-user.target`. It relies on Privilege Dropping (`User=`, `Group=`) inside the unit templates to secure exposed services like MediaMTX.
+
 The suite uses a **multi-protocol bonding architecture**: UDP traffic is routed exclusively via MLVPN, and TCP traffic is aggregated using MPTCP with Shadowsocks-libev and v2ray-plugin acting as a transparent proxy.
 
 ### Core Structure
@@ -26,10 +33,15 @@ The project has evolved into a multi-binary ecosystem to ensure role-specific fu
 | :--- | :--- |
 | **`VLX_FrameFlow`** | Client binary exclusively for SBC tasks (FFmpeg, AP, Storage, API). |
 | **`VLX_FrameFlow_SRV`** | Server binary exclusively for VPS tasks (Relay node, Firewall). |
-| **`vlx_frontend`** | Remote-capable standalone UI server. |
+| **`vlx_frontend`** | Remote-capable standalone UI server (Svelte SPA). |
 | **`config/`** | Configuration templates and maintenance scripts. |
 | **`internal/`** | Core logic (storage, system, network, package management). |
 
+### API & Frontend
+The backend API is built using the highly performant **Gin** framework (`github.com/gin-gonic/gin`) serving a standardized REST structure (`/api/v1/...`).
+
+The **Control Panel Frontend** is a compiled **Svelte** application. It dynamically polls the backend via parallel REST calls (`Promise.all`), features a semantic parser translating raw systemd statuses into visual states, and provides real-time streaming text consoles utilizing `ansi-to-html`.
+
 ---
 
 ## Installation
@@ -132,7 +144,7 @@ Available commands:
 - **`server start` / `server status` / `server stop`**: Manage server components.
 - **`server api start` / `server api status` / `server api stop`**: Manage the local API relay for forwarding commands to the remote Client via MLVPN.
 - **`client start` / `client status` / `client stop`**: Manage client components.
-- **`client reset`**: Restarts networking and bonding services.
+- **`client reset`**: Restarts networking and bonding services. (Also exposed via `/api/v1/client/reset`).
 - **`bonding`**: Displays MPTCP proxy and MLVPN tunnel status.
 - **`AP start`**: Activates HostAP (hotspot) on the first Wi-Fi interface.
 - **`AP stop`**: Stops HostAP and switches the first Wi-Fi interface back to managed client mode.
@@ -159,7 +171,7 @@ Manages video encoding pipelines. This service is best utilized in combination w
 ./vlx_frameflow mediamtx <start|stop|status>
 ```
 
-Manages the local **MediaMTX** server (SRT protocol only). Combining this service with the suite's Access Point (AP) mode is crucial for achieving optimal performance and reliability when interfacing with devices running rigid or proprietary software, such as GoPro cameras.
+Manages the local **MediaMTX** server (SRT protocol only). Combining this service with the suite's Access Point (AP) mode is crucial for achieving optimal performance and reliability when interfacing with devices running rigid or proprietary software, such as GoPro cameras. Also exposed via REST (`/api/v1/mediamtx/start|stop|status`).
 
 **Functions:**
 
@@ -172,7 +184,7 @@ Manages the local **MediaMTX** server (SRT protocol only). Combining this servic
 ./vlx_frameflow gps <start|stop|status>
 ```
 
-Manages GPS and telemetry services. This module acts as a resilient data pipeline, ensuring real-time location and telemetry data are consistently processed and transmitted regardless of network fluctuations.
+Manages GPS and telemetry services. This module acts as a resilient data pipeline, ensuring real-time location and telemetry data are consistently processed and transmitted regardless of network fluctuations. Also exposed via REST (`/api/v1/gps/start|stop|status`).
 
 - Controls **gpsd**.
 - Auto-detects USB / serial GPS hardware.

config/frameflow.settings.template

@@ -1,25 +1,37 @@
 # VLX FrameFlow User Profile
+# The dedicated, unprivileged user that runs the background services.
 FRAMEFLOW_USER="frameflow"
+
+# Installation Paths
+# Paths dynamically resolved via os.Getenv("VLXsuite_DIR") in code, defaulting to:
 VLXsuite_DIR="/opt/VLX_FrameFlow"
+# Note: Architecture suffixes (e.g. AMD64 vs ARM64) for MediaMTX are handled automatically
+# by the daemon's runtime.GOARCH resolution and do not need to be appended here.
 MEDIAMTX_DIR="/opt/mediamtx"
 
 # Wi-Fi AP Password
+# Automatically generated if left empty.
 AP_PASSWORD=""
 
 # GPS Tracker
 gps_target_url=""
 
 # Network settings
+# Specifies role-aware privilege scoping. Do not manually force unless required.
 FRAMEFLOW_ROLE=""
 MLVPN_SERVER_IP=""
+# Supports native Dual-Stack TCP bonding (comma-separated IPv4, IPv6)
 SHADOWSOCKS_SERVER_IPS=""
 MPTCP_PROXY_PASS=""
 MLVPN_KEY=""
 
 # Cameraman
+# DSN utilizes _pragma=journal_mode(WAL)&_pragma=busy_timeout(5000) internally to prevent boot race conditions.
 DB_DSN="/opt/VLX_FrameFlow/var/frameflow.db"
 # SRT target
+# Undergoes strict net/url validation before the encoding pipeline starts.
 SRT_URL="srt://frameflow-server.example:8890?streamid=publish:cam"
+# User-defined ceilings that the linear absolute-difference fallback algorithm strictly respects.
 CAM_MAX_RESOLUTION="1920x1080"
 CAM_MAX_FPS="30"
 

config/frameflow_srv.settings.template

@@ -1,9 +1,17 @@
 # VLX FrameFlow Server Profile
+# The dedicated, unprivileged user that runs background services inside privilege-dropped systemd units.
 FRAMEFLOW_USER="frameflow"
+
+# Installation Paths
+# Paths dynamically resolved via os.Getenv("VLXsuite_DIR") in code, defaulting to:
 VLXsuite_DIR="/opt/VLX_FrameFlow"
+# Note: Architecture suffixes (e.g. AMD64 vs ARM64) for MediaMTX are handled automatically
+# by the daemon's runtime.GOARCH resolution and do not need to be appended here.
 MEDIAMTX_DIR="/opt/mediamtx"
 
 # Network settings
+# Explicitly sets the system to require root execution for main orchestrator daemons,
+# while utilizing /etc/systemd/system/ and multi-user.target for unit files.
 FRAMEFLOW_ROLE="SERVER"
 MPTCP_PROXY_PASS=""
 MLVPN_KEY=""

config/frontend.settings.template

@@ -1,14 +1,21 @@
+# Standalone Web Server Binding Configuration
 # (optional, if empty fallback to localhost)
 bind_address=0.0.0.0
 # (optional, if empty fallback to 8080)
 bind_port=8080
+
 # Frontend GUI user credential
 FF_GUI_USER=frontend
 FF_GUI_PASS=frontend
+
+# Target Backend Connection Parameters (Client API)
 # (connection to backend: optional, if empty set to localhost)
 backend_address=127.0.0.1
 # (connection to backend: optional, if empty set to 9090)
 backend_port=9090
+
+# Zero-Trust mTLS Credentials
+# Used by the Svelte Control Panel to authenticate against the backend API.
 # Client certificate path for frontend (optional, required if backend enforces mTLS)
 client_crt=/opt/VLX_FrameFlow/certs/frontend01.crt
 # Client key path for frontend (optional, required if backend enforces mTLS)

config/mediamtx_client.settings.template

@@ -1,5 +1,7 @@
 ###############################################
 # VLX FrameFlow - MediaMTX Configuration Template (Client)
+# Note: This node operates natively as a static user service using systemctl --user,
+# exclusively running as the dedicated unprivileged user via ~/.config/systemd/user/.
 ###############################################
 logLevel: info
 logDestinations: [syslog]
@@ -79,5 +81,7 @@ pathDefaults:
 
 paths:
   ~^wificam:
+    # Acts as an RTMP-to-SRT auto-forwarder
     runOnReady: ffmpeg -i rtmp://localhost:$RTMP_PORT/$MTX_PATH -c copy -f srt "srt://10.1.10.1:8890?streamid=publish:$MTX_PATH"
   ~^cameraman:
+    # Dynamically configured via the API. Operates exclusively over SRT (V4L2/ALSA direct-to-SRT ingest) without WebRTC multiplexing.

config/mediamtx_server.settings.template

@@ -1,5 +1,7 @@
 ###############################################
-# VLX FrameFlow - MediaMTX Configuration Template (Client)
+# VLX FrameFlow - MediaMTX Configuration Template (Server)
+# Note: This node operates inside a System-Space Systemd unit (/etc/systemd/system/).
+# Privilege Dropping (User=, Group=) is enforced inside the generated unit to limit blast radius.
 ###############################################
 logLevel: info
 logDestinations: [syslog]
@@ -86,5 +88,7 @@ pathDefaults:
   runOnRecordSegmentComplete:
 
 paths:
+  # The Server acts as a "Smart Receiver" and implements a Seamless Fallback Pipeline (Zero-Drop)
+  # by maintaining an ffmpeg -stream_loop on an /offline path (not shown here) during dropouts.
   ~^wificam:
   ~^cameraman: