Web Interface
Open http://<host>:8000 in your browser. You'll be prompted for your API key on the first visit — enter the value of your API_KEY environment variable. The key is stored in session storage and not sent to any third party. Once authenticated, the Dashboard loads with live network counts.
The MeshOptixIQ web interface is a React/TypeScript single-page application served directly by the FastAPI process — no separate web server required. It gives every role in your organisation a purpose-built view of the network: topology for engineers, endpoint search for help desk, firewall policy analysis for security, and compliance reporting for auditors. All pages update in near-real-time via the Server-Sent Events stream.
User Access Levels
Personas are access levels that control which pages and features are available to you in the web interface. Each persona unlocks a progressively larger part of the application, so you only see what is relevant to your role.
| Persona | Typical Role | Pages Available |
|---|---|---|
| helpdesk | Support staff, help desk | Dashboard, Topology, Devices, Endpoints, Blast Radius, Change Center |
| analyst | IT analysts, NOC operators | All of the above + Subnets & IP Schema, Query Workbench |
| security | Security engineers | All of the above + Firewall Policies, Path Analysis |
| network | Network engineers | All of the above + Automation, Collection |
| architect | Senior / principal engineers | Same as network |
| admin | Administrators | Full access, including the Admin page |
Your current persona is shown as a badge in the User menu at the top-right of every page. In the default single-user setup (API key authentication), you automatically receive the admin persona and have full access to every page.
The table below lists every page in the web interface along with the minimum persona required to access it.
| Route | Page | Minimum Persona |
|---|---|---|
/ | Dashboard | All |
/topology | Topology | All |
/devices | Device Inventory | All |
/endpoints | Endpoint Search | All |
/subnets | Subnets & IP Schema | analyst |
/firewall | Firewall Policies | security |
/path-analysis | Path Analysis | security |
/blast-radius | Blast Radius | All |
/history | Change Center | All |
/automation | Automation | network |
/collection | Collection | network |
/queries | Query Workbench | analyst |
/admin | Admin | admin |
/settings permanently redirects to /admin for backwards compatibility with bookmarks.Dashboard (/)
14:28 — sw-core-01 collected (247 interfaces)
14:25 — Collection complete: 20 devices
Figure 7.1 — Dashboard showing network summary chips, security posture indicators, and recent events
The Dashboard is the home page you see when you open the web interface. It gives you an at-a-glance overview of the current state of your network:
- Network summary — counts of collected devices, interfaces, IP addresses, endpoints, VLANs, and firewall rules updated every few minutes.
- Security posture panel — hygiene indicators showing devices without neighbours, interfaces without IPs, and endpoints without subnet assignments. Each indicator is a shortcut to the relevant detail page.
- Network mini-map — a compact thumbnail of the topology graph so you can spot changes at a glance without switching to the full Topology view.
- Live activity badge — the status bar at the top shows whether the server is reachable and whether real-time updates are streaming.
The Dashboard does not require any specific persona — it is available to every user regardless of access level.
7.1 App Shell & Navigation
Top Bar
A fixed bar at the top of every page provides at-a-glance status and global shortcuts:
- Global search button — click to open the Command Palette (or press Cmd+K / Ctrl+K from anywhere)
- Backend health dot — green (reachable), amber (degraded), red (unreachable); the label reads "Live" or "Offline"
- Live / Polling badge — "Live" when real-time push updates are active; "Polling" when falling back to 30-second polling
- Demo badge — an amber "DEMO" label shown when the server is running in demonstration mode with simulated data
- Notifications bell — count of recent toast events; click to review the list
- User menu — current persona badge; Disconnect / Clear session
Command Palette (Cmd+K / Ctrl+K)
Press Cmd+K on macOS or Ctrl+K on Windows/Linux from any page to open the Command Palette.
| Input | Action |
|---|---|
IP address (e.g. 10.0.1.55) | Navigate to Endpoint Search with the IP pre-filled |
CIDR (e.g. 10.0.0.0/24) | Navigate to Endpoint Search in subnet mode |
| MAC address fragment | Navigate to Endpoint Search in MAC mode |
Hostname fragment (e.g. core-sw) | Navigate to Topology and focus the matching device |
Page name (e.g. firewall, topology) | Jump directly to that page |
| Reload RBAC | Force an immediate reload of the access control policy admin |
Power User: Command Palette Modes
The Command Palette supports four input-prefix modes that activate specialized behavior. Prefix your query with one of the characters in the table below to route it to the correct handler without navigating away from your current page.
| Prefix | Mode | Example input | Outcome |
|---|---|---|---|
| (none) | Smart search | 10.0.0.5 or core-sw-01 | Auto-routes: IP/CIDR → Endpoint Search; MAC fragment → Endpoint MAC mode; hostname → Topology focus; page name → direct navigation |
> | Built-in action | >compliance-scan | Executes the named action inline — no page load required |
? | AI assistant | ?how do I create a BGP alert? | Opens the Chat page with the question pre-filled and ready to send |
@ | Topology focus | @core-sw-01 | Navigates to Topology and zooms the graph to the named device |
Built-in Actions (> prefix)
| Action name | Description |
|---|---|
refresh | Refetch all data for the current page without a full reload |
export devices | Download the current device inventory as a CSV file |
compliance-scan | Trigger an immediate compliance scan (requires Pro+; same as clicking the Run button in the Compliance page) |
snapshot | Capture a network snapshot immediately (same as the scheduled snapshot, but on demand) |
? prefix is the fastest way to reach the Chat page. Type Ctrl+K / Cmd+K, then type ? followed by your network question, and press Enter — the question lands directly in the Chat input without navigating first.
Inspector Drawer
The right-side Inspector Drawer slides in when you click a device row in Device Inventory, a node in the Topology graph, or a rule row in Firewall Policies. It persists across page navigation until explicitly closed (× button or Escape).
For devices, the drawer shows six tabs:
| Tab | Contents |
|---|---|
| Summary | Hostname, vendor, model, serial, OS version, and NetBox metadata (site / tenant / rack) if present |
| Interfaces | All interfaces with IP addresses and link state |
| Neighbors | CDP/LLDP-discovered neighbours; click "View" to focus the neighbour in Topology |
| Endpoints | Hosts learned on each interface via ARP and MAC tables |
| Firewall | Collected security rules (if any); empty state for non-firewall devices |
| History | Snapshots in which this device appears, with timestamps |
Sidebar Navigation Groups
The left sidebar organises pages into seven sections:
| Section | Pages |
|---|---|
| Overview | Dashboard |
| Observe | Topology, Path Analysis |
| Assets | Devices, Endpoints, Subnets |
| Security | Firewall Policies, Blast Radius |
| Operations | Change Center, Automation, Collection |
| Workbench | Query Workbench |
| System | Admin |
7.2 Topology View (/topology)
Figure 7.2 — Topology view with blue circles for switches, orange diamonds for firewalls, and connection edges
The topology view renders a Cytoscape.js force-directed graph of all network devices and their connections.
Node Types & Colours
| Node Shape / Colour | Device Type |
|---|---|
| Blue circle | Standard network device (switch, router) |
| Orange diamond | Firewall device (has at least one collected firewall rule) |
| Rose / red highlight | Device impacted by a Blast Radius overlay |
| Emerald / green highlight | Device in an active Path Analysis overlay |
Interactions
- Click a node — opens the Inspector Drawer with the 6-tab device detail panel.
- Click an edge — shows the interfaces on each end that form the connection.
- Scroll / pinch — zoom the graph.
- Drag — pan the canvas or reposition nodes.
- Search bar — filters the graph by hostname; entering a name in focus mode triggers a 2-hop neighbourhood query.
Focus Mode (large networks)
When the graph contains more than 200 devices a Focus Mode button appears. Activating it switches to neighbourhood view: type a hostname and click Focus to load only the 2-hop subgraph around that device using the topology_neighborhood query. Click Exit Focus Mode to return to the full graph.
Topology Overlays
Both Blast Radius and Path Analysis pages offer an Overlay on Topology / Show path on Topology button after results are returned. Clicking it stores the result in memory and navigates to the Topology page, which applies the overlay automatically:
- Blast Radius overlay — impacted nodes highlighted in rose; non-impacted nodes dimmed; a dismissible banner shows the focal device and endpoint count.
- Path Analysis overlay — matched firewall nodes highlighted in emerald; a banner shows src → dst. Click Dismiss to clear.
7.3 Device Inventory (/devices)
Figure 7.3 — Device Inventory with vendor filter panel, stat chips, and virtualized table
A virtualized table of all collected network devices, supporting datasets of 10,000+ rows at 60 fps. Data is cached client-side for 5 minutes.
Filters
- Search — free-text match against hostname, vendor, and model
- Vendor — multi-select pill filter (Cisco, Juniper, Palo Alto, etc.)
- Has firewall rules — toggle to show only devices with collected firewall policies
Active filter count is shown on the Filters button; click Clear all inside the panel to reset.
Row Actions
- Click any row — opens the Inspector Drawer with the 6-tab device detail panel.
- Show in Topology — navigates to the Topology page and focuses the selected device.
- Export JSON — downloads the currently filtered device list as a JSON file.
Column Visibility
Click the Columns button (top-right of the table) to show or hide individual columns (Vendor, Model, OS Version, Serial, Collected At).
Figure 7.4 — Inspector Drawer showing 6-tab DeviceDetailPanel with Summary tab active and ProvenanceCard footer
7.4 Endpoint Search (/endpoints)
Two modes are available via the toggle in the page header:
Search Mode
Locate a single host by IP address or MAC address.
- IP mode — accepts a single IPv4/IPv6 address or a CIDR prefix; an optional VRF field narrows results to a specific routing domain.
- MAC mode — accepts any standard MAC format (colon, hyphen, or dotted-quad).
The Command Palette auto-fills and fires a search when you type an IP or MAC and press Enter.
Inventory Mode
Loads all known endpoints (up to 10,000) into a virtualized table with the same column controls as Device Inventory. Click any row to open the Inspector Drawer.
Orphaned Endpoints
An expandable amber panel at the bottom of the page shows endpoints that have no associated subnet record — a sign that the IPAM configuration may be incomplete. Backed by the endpoints_without_location query.
7.5 Subnets & IP Schema (/subnets) analyst+
An IPAM-style view for exploring subnet allocations and tracking address hygiene. Requires analyst persona or higher.
Query Modes
| Mode | Input | Query | Result |
|---|---|---|---|
| By subnet | CIDR + optional VRF | ips_in_subnet | All IP addresses allocated within the prefix, with VRF column |
| By device | Device hostname | subnets_on_device | All subnets configured on that device (network_address, prefix_length, VRF, tenant) |
Orphaned IPs
An expandable amber section runs the orphaned_ips query on first open and shows IPs that are configured on interfaces but do not belong to any known subnet definition.
CORP, GUEST) to narrow the scope.7.6 Firewall Policies (/firewall) security+
Figure 7.5 — Firewall Policies with zone-pair filter dropdowns and action badges
Displays a filterable, searchable table of all collected firewall rules across all devices.
Filters
- Device — filter by firewall hostname
- Zone pair — source zone / destination zone dropdowns
- Action — allow / deny / drop / reject
- Enabled — show only active or disabled rules
- Search — full-text search across rule name, zones, and address objects
Expanded Row
Click any rule row to expand the detail panel showing: source zones, destination zones, source addresses, destination addresses, services, protocols, ports, logging state, and rule comments. Click the row again to collapse.
Deny Rules Summary
The Deny Rules tab (or the deny_rules_summary query) shows all deny/drop/reject rules across every firewall — useful for quickly auditing what the perimeter explicitly blocks.
7.7 Path Analysis (/path-analysis) security+
Figure 7.6 — Path Analysis showing PERMITTED verdict and matching firewall hop
Interactive source-to-destination path analysis through the firewall rule chain.
- Enter the Source IP address.
- Enter the Destination IP address.
- Optionally enter Protocol (e.g.
tcp) and Destination Port (e.g.443). - Click Analyse Path.
Results display a PERMITTED (green) or DENIED (red) verdict banner, followed by a per-firewall breakdown of the first-matching rule, its action, rule name, and the zone pair that matched.
After results appear, click Show path on Topology to navigate to the Topology page with the matched firewall devices highlighted in emerald.
meshq collect run. Always recollect after policy changes before relying on path analysis results for change control decisions.7.8 Blast Radius (/blast-radius)
10.0.1.102 (VLAN 10)
10.0.2.55 (VLAN 20)
10.0.2.56 (VLAN 20)
10.0.100.3 (VLAN 100)
...
Figure 7.7 — Blast Radius showing 47 affected endpoints for core-sw-01 failure scenario
Simulate the impact of losing a device, interface, VLAN, or subnet, and see the downstream endpoints that would be affected.
Query Types
| Mode | Parameters | Query |
|---|---|---|
| Device | Hostname | blast_radius_device |
| Interface | Hostname + interface name | blast_radius_interface |
| VLAN | VLAN ID | blast_radius_vlan |
| Subnet | CIDR prefix | blast_radius_subnet |
After results are returned, click Overlay on Topology to navigate to the Topology page with impacted nodes highlighted in rose and a dismissible banner showing the focal device and endpoint count.
7.9 Change Center (/history)
Figure 7.8 — Change Center Network Diff showing removed, unchanged, and added devices between two snapshots
Tracks network state over time using an in-memory ring buffer of up to 288 snapshots (24 hours at 5-minute intervals). Three tabs provide different views of change data.
Trend Charts tab
Live sparkline charts showing device count, endpoint count, and firewall rule count over time, updated via SSE.
Network Diff tab
Select two timestamps using the from/to date pickers and click Compare to call GET /history/diff. The response is presented as a three-column diff:
- Removed — devices or rules present in the earlier snapshot but absent in the later
- Unchanged — items present in both snapshots
- Added — items present in the later snapshot but absent in the earlier
What-If Simulation tab Pro+
Submit a proposed topology change and see its impact before making any modifications to the live network. Two input modes are available:
- Fields mode — structured inputs for proposed device count and firewall rule count
- JSON mode — raw
NetworkFactstextarea for submitting specific devices, interfaces, and firewall rules
Results show current vs. proposed counts with a delta card and a list of new device hostnames. The simulation banner reads SIMULATION — not live data to prevent confusion. The endpoint is rate-limited to 10 requests per minute; a cooldown timer is shown when the limit is reached.
7.10 Automation (/automation) network+
Export network data and trigger external system synchronisation. Requires the network persona or higher.
Ansible Dynamic Inventory
Download an Ansible-compatible inventory file via the GET /inventory/ansible endpoint.
- Select format: JSON (for
ansible-inventory --list) or INI (legacy format) - Click Download inventory.json (or
.ini) — the file is fetched and saved to disk - Devices are grouped by vendor; devices with collected firewall rules appear in the additional
firewallsgroup
Expand Copy automation snippet to get a pre-filled curl command with your API key for use in CI pipelines or Ansible dynamic inventory scripts.
NetBox Sync Pro+
The NetBox Sync card is displayed only when NETBOX_URL and NETBOX_TOKEN are configured. It shows the configured sync direction (push / pull / both) and provides a Dry Run Sync button that calls POST /admin/netbox/sync?dry_run=true and displays the proposed changes without committing them.
7.11 Admin (/admin) admin only
The Admin page is restricted to the admin persona. It provides five tabs for managing the running instance.
| Tab | Contents |
|---|---|
| Identity | Current API key (masked), authentication mode, and your active persona (access level) |
| RBAC | View and edit the current RBAC policy YAML; click Reload Policy to hot-reload without restarting |
| Backend | Runtime config: graph backend, Redis URL, cluster mode, license plan and expiry |
| Snapshots | Ring buffer of recent metric snapshots with timestamps and device/rule fingerprint counts |
| Diagnostics | Copy Support Bundle — collects masked admin config, last 5 snapshot timestamps, and RBAC source into a JSON blob and copies it to the clipboard for pasting into a support ticket |
/settings URL permanently redirects to /admin. Update any bookmarks or automation scripts that reference the old path.Alerts & Notifications
Navigate to /alerts → click New Rule → configure target metric, operator, threshold, and notification channel → click Save. Alerts fire in real-time via SSE.
7A.1 Creating Alert Rules
Alert rules evaluate a target metric against a threshold on a configurable interval. When the condition is met, an alert fires and appears in the alert stream.
| Field | Description | Example |
|---|---|---|
name | Human-readable rule name | BGP Session Down |
target | Metric to evaluate | bgp_peers_down, device_count, flow_total_flows |
operator | Comparison operator | gt, lt, gte, lte, eq |
threshold | Numeric threshold value | 0, 50, 100000 |
severity | Alert severity level | critical, warning, info |
channel_ids | Notification channel IDs (multi-select) | ["ch-slack-ops", "ch-pagerduty"] |
Example: alert when BGP peers go down:
curl -X POST -H "X-API-Key: your-key" \
-H "Content-Type: application/json" \
http://localhost:8000/alerts/rules \
-d '{
"name": "BGP Session Down",
"target": "bgp_peers_down",
"operator": "gt",
"threshold": 0,
"severity": "critical",
"channel_ids": ["ch-slack-noc"]
}'7A.2 Notification Channels
Configure webhook and email channels via Alerts → Channels → Add Channel:
- Webhook: POST to any HTTP endpoint (Slack, Teams, PagerDuty, custom). Payload is the SOAR webhook format.
- Email: SMTP configuration set via
SMTP_HOST,SMTP_PORT,SMTP_FROMenvironment variables.
7A.3 Real-Time Alert Stream
The alert stream is a Server-Sent Events (SSE) endpoint that pushes fired alerts to connected clients in real-time:
# Subscribe to the live alert stream
curl -H "X-API-Key: your-key" \
"http://localhost:8000/alerts/stream"
# Or via EventSource in JavaScript (pass api_key as query param):
const es = new EventSource("/alerts/stream?api_key=your-key");
es.onmessage = (e) => console.log(JSON.parse(e.data));The web UI's Alerts page shows a live feed with severity badges, timestamps, device context, and a one-click acknowledge button.
7A.4 Acknowledging Alerts
Acknowledge a fired alert to suppress repeated notifications:
# PATCH to acknowledge a specific alert
curl -X PATCH -H "X-API-Key: your-key" \
http://localhost:8000/alerts/history/alert-42
# Filter unacknowledged alerts
curl -H "X-API-Key: your-key" \
"http://localhost:8000/alerts/history?acknowledged=false"Alert rules require the alert_rules feature flag (Pro or Enterprise plan). The alert stream endpoint is accessible, but rule creation returns 402 without the flag.
Network Flow Analytics
Enable SFLOW_ENABLED=true on the API container. Configure your switches to export sFlow to UDP/6343 on the MeshOptixIQ host. Navigate to /flows to see Top Talkers populate within minutes.
7B.1 What Gets Collected
MeshOptixIQ passively receives flow telemetry from network devices:
- NetFlow v5/v9: UDP port 2055 (enable with
NETFLOW_ENABLED=true) - IPFIX: UDP port 9995
- sFlow v5: UDP port 6343 (enable with
SFLOW_ENABLED=true)
All flows are stored in a 100,000-flow ring buffer. Oldest flows are evicted as new ones arrive. Check capacity: GET /flows/status.
7B.2 Top Talkers View
The Top Talkers tab ranks source/destination IP pairs by total bytes transferred in the selected time window (last 5m, 15m, 1h, 24h). Each row shows:
- Source IP and destination IP (with device hostname if known)
- Total bytes, total packets, and average flow duration
- Dominant protocol and destination port
7B.3 Conversations View
The Conversations tab shows active sessions with full 5-tuple: source IP, destination IP, protocol, source port, destination port. Rows are color-coded by protocol (TCP=blue, UDP=green, ICMP=amber).
7B.4 Interface Heatmap
In the Topology view, enable the Interface Heatmap overlay from the Overlays menu. Links are colored by traffic intensity derived from sFlow sample data: green (0–30%), amber (30–70%), red (70–100% of interface capacity).
Flow Analytics requires the flow_analytics feature flag (Enterprise plan only). The /flows UI page is hidden for non-Enterprise licenses.
GPU & InfiniBand Cluster
After collecting your GPU servers (DGX, HGX), navigate to /gpu-cluster. The InfiniBand Fabric tab loads automatically. Click a port row to highlight the connection in Topology view.
7C.1 InfiniBand Fabric Tab
Displays all InfiniBand ports and their peer connections from the ib_topology query. Columns:
| Column | Description |
|---|---|
| Device | Hostname of the GPU server or IB switch |
| Port Num | Physical IB port number (1-indexed) |
| State | Port state: Active, Down, Polling, Init |
| Speed | Link speed (HDR 200Gbps, HDR100 100Gbps, EDR 100Gbps, etc.) |
| Peer | Connected peer hostname and port |
The Ports Down sub-tab (from ib_ports_down) shows only ports NOT in Active state — use this for fabric health checks.
7C.2 GPU Health Tab
Powered by DCGM (Data Center GPU Manager) metrics collected via SSH. Each row represents one GPU on one server:
| Metric | Column | Alert Threshold |
|---|---|---|
| SM Utilization | Util % | >90% → red, >70% → amber |
| Memory Utilization | Mem % | >90% → red, >80% → amber |
| Power Draw | Power W | >380W → red |
| GPU Temperature | Temp °C | >80°C → red, >75°C → amber |
| SM Clock | Clock MHz | — |
| NVLink Bandwidth | NVLink GB/s | — |
Data source endpoints: GET /infiniband/topology, GET /infiniband/ports/down, GET /infiniband/dcgm.
7C.3 NCCL Job Visualization
In the Topology page, enable the NCCL Jobs overlay. A job selector dropdown (populated from nccl_jobs) lets you choose an active training job. The topology then highlights the GPU server nodes involved and overlays AllReduce/AllGather communication flows as animated edges colored by flow volume.
GPU & InfiniBand features require the nccl_visualization flag (Enterprise only). Collection of DCGM metrics also requires SSH access to the GPU servers with DCGM installed.
Compliance
Navigate to /compliance → select framework from the dropdown → click Run Compliance Scan → wait for results (typically 30–120 seconds depending on network size).
7D.1 Available Frameworks
- PCI DSS v4 — Payment Card Industry Data Security Standard version 4.0. Controls focus on network segmentation, firewall rule quality, and access control.
- NIST CSF 2.0 — NIST Cybersecurity Framework 2.0 core functions. Controls cover Identify, Protect, Detect, Respond, and Recover domains.
- CIS Cisco IOS — Center for Internet Security benchmark for Cisco IOS devices. Controls cover device hardening, SSH configuration, and NTP.
7D.2 Compliance Scan Results
The scan produces a score circle (0–100%) and a control results table:
- ≥ 80% — Green (Compliant)
- 60–79% — Amber (Needs Attention)
- < 60% — Red (Non-Compliant)
Each control row shows: Control ID, Title, Status (PASS / FAIL / SKIP), number of affected devices, and remediation guidance.
7D.3 Control Evaluation Types
- Query-based: Runs a graph query and evaluates the result set. Example: "Are there any deny-all rules? (FAIL if yes)".
- Config-text-based: Applies regex patterns to raw device config snapshots. Example: "Does the device have
ip ssh version 2? (PASS if present)".
7D.4 Exporting Results
# Export compliance results to CSV
curl -H "X-API-Key: your-key" \
"http://localhost:8000/compliance/export/{run_id}" \
-o compliance-results.csv
# List recent runs
curl -H "X-API-Key: your-key" \
http://localhost:8000/compliance/runsCompliance requires the compliance_reporting flag (Enterprise only). Config-text-based controls additionally require the config_management flag to be enabled and config snapshots to have been collected.
Automation & SOAR
Navigate to /automation for Ansible inventory export and NetBox sync. For SOAR rules, go to /automation → SOAR Rules tab (Enterprise only).
7E.1 Ansible Dynamic Inventory
Export the full device graph as an Ansible dynamic inventory — grouped by vendor, role, and firewall presence:
# JSON format (default)
curl -H "X-API-Key: your-key" \
http://localhost:8000/inventory/ansible
# INI format (legacy Ansible)
curl -H "X-API-Key: your-key" \
"http://localhost:8000/inventory/ansible?format=ini"In the UI, use the Format toggle button to switch between JSON and INI, then copy or download the inventory.
7E.2 SOAR Rules Enterprise
SOAR rules automatically dispatch webhook events when a qualifying query condition is met. Rule schema:
| Field | Description |
|---|---|
name | Rule display name |
query | Query to evaluate (e.g., deny_rules_summary) |
condition | Trigger condition: row_count > N, status >= N, elapsed_ms > N |
severity | critical / warning / info |
The SOAR event log (GET /automation/events) shows the history of triggered rules with matched row count and webhook dispatch status.
7E.3 NetBox Bidirectional Sync Pro+
Sync device metadata between MeshOptixIQ and NetBox. Supports push (MeshOptixIQ → NetBox), pull (NetBox → MeshOptixIQ graph nodes), and both.
# Dry run before syncing
meshq sync --target netbox --direction pull --dry-run
# Execute sync
meshq sync --target netbox --direction bothThe UI shows a dry-run diff with a sync direction badge and confirmation button.
7E.4 Config Snapshots & Drift Detection Pro+
Enable "Capture config snapshot" per device in the Collection settings. Snapshots are stored and compared on each collection run. If a device's config changes, a drift alert fires.
- View config history:
GET /configs/{hostname}/history - Compare two snapshots:
GET /configs/{hostname}/diff?from_ts=&to_ts= - UI: /configs page shows all devices with snapshots, a timeline, and a unified diff viewer