Feature Flags
The Cloud Frontend has two layers of feature flags:
- Build-time flags — Vite environment variables (
VITE_*) baked into the build - Runtime server-side flags — loaded from
GET /api/v1/me/featuresafter login
Build-time flags
Section titled “Build-time flags”Set in .env or CI/CD pipeline variables before npm run build:
| Variable | Default | Effect |
|---|---|---|
VITE_ADMIN_PANEL_ENABLED | off | Show /admin/* routes and navigation link |
VITE_PLATFORM_ADMIN_EMAIL_DOMAIN | monozu.io | Email domain that gets the admin nav link |
VITE_CLARITY_PROJECT_ID | off | Enable Microsoft Clarity analytics |
The flag helpers live in Frontend/lib/features.ts.
Runtime server-side features
Section titled “Runtime server-side features”After successful login, the SPA calls GET /api/v1/me/features which returns the features enabled for the authenticated user’s tenant:
{ "vpn": true, "security": true, "backup": false}These are stored in authStore and used to conditionally render navigation items and route guards.
| Feature key | Module | Routes |
|---|---|---|
security | Security SOC | /security/* |
vpn | VPN Management | /vpn/* |
backup | Backup | /backup/* |
The backend returns features based on tenant_features table, which is populated by the Management service during license activation.
How the guard works
Section titled “How the guard works”flowchart TD
A["User navigates to /security/alerts"] --> B{"authStore.features.security?"}
B -->|false| C["Redirect to /403 or dashboard"]
B -->|true| D{"RBAC: security:read?"}
D -->|false| C
D -->|true| E["Render SecurityAlerts page"]
The FeatureGuard component wraps optional module routes and reads from authStore. If the feature is not in the user’s feature set, the route renders a “not available” page or redirects.
Backend enforcement
Section titled “Backend enforcement”Feature flags are also enforced on the backend. Even if the frontend renders the UI, API calls to optional module endpoints will return 403 Forbidden if the feature is not enabled for the tenant. The backend checks tenant_features independently.
Optional module routes (/api/v1/security/*, /api/v1/vpn/*, /api/v1/backup/*) are conditionally registered at startup based on env vars on the backend side as well. The Admin Panel routes (/api/v1/admin/*) require ADMIN_PANEL_ENABLED=true.