Skip to content

Docs · Dashboard

Launch the local dashboard.

Local-only

The Ledgerful dashboard is a local-only web UI. It ships with the Ledgerful CLI — there is nothing separate to install. It runs as a loopback daemon and requires an ephemeral session token to access.

Start the daemon

Run ledgerful web start from inside a git repository root. The daemon binds exclusively to 127.0.0.1 and is not accessible from any other machine or network interface.

# Start the dashboard and open it in your browser (recommended)
ledgerful web start --open

# Start without opening a browser (prints the tokenized URL to copy)
ledgerful web start

# Custom port, running in the background
ledgerful web start --port 3001 --background

With --open, the daemon launches your browser at the tokenized URL automatically. Without it, the daemon prints the dashboard URL including a session token — copy the full URL, including the ?token= query parameter, and open it in your browser. Either way, the dashboard immediately captures the token in memory and strips it from the address bar.

Opening the dashboard

The URL printed at startup includes the session token. Open this URL in a browser on the same machine. The dashboard captures the token in memory, strips the query string with history.replaceState, and sends daemon API requests with an Authorization: Bearer <token> header. The dashboard will not load without a valid token.

# Example output from ledgerful web start:
Ledgerful dashboard listening on http://127.0.0.1:52001
Open: http://127.0.0.1:52001/?token=<your-64-char-hex-token>

Loopback only: The daemon binds exclusively to http://127.0.0.1:52001. CORS is restricted to localhost and 127.0.0.1 on any port. Cross-origin requests from remote or hosted domains are rejected. The dashboard is not a hosted service and is not accessible from other machines on your network.

Daemon management

Check daemon status or stop it with the following commands.

# Check whether the daemon is running and get its port
ledgerful web status

# Stop the daemon
ledgerful web stop

Token security

Each daemon session uses a 256-bit cryptographically random token. Treat the token like a temporary password for the duration of the session.

Token entropy: Tokens are 256-bit values (32 bytes from OS entropy via rand::thread_rng().fill_bytes), hex-encoded to 64 characters. This makes loopback brute-force attacks infeasible.

Token lifetime: Tokens are per-session and are never persisted to disk by the daemon. Restarting the daemon generates a new token.

Token safety rules:

  1. Do not paste the full dashboard URL — including the ?token= parameter — into bug reports, screenshots, screencasts, or documentation examples.
  2. Do not store the token in environment variables, shell history, or scripts.
  3. If a token is accidentally exposed, stop and restart the daemon immediately to generate a new one.
  4. The token is validated with constant-time comparison on every request to prevent timing attacks.