toa://toaservers
Headless game-server status for any site.
OVERVIEW
servers is the toa:// headless game-server status service — point it at your A2S-speaking servers and it tracks status, ping and player count on a schedule, alerting to Discord when something goes down. Flag a server public and its live status is available over a CORS-open read API and a drop-in <toa-servers> widget you can embed on any static site. Built multi-tenant with Postgres row-level security like the rest of the suite; the admin/config panel is single sign-on via toa://auth, and the monitoring backend stays internal behind it.
FEATURES
A2S monitoring
Polls each game server over the A2S protocol on a schedule — up/down status, ping and live player count, with flap protection so a single blip doesn't alert.
Public API + widget
Expose chosen servers via a CORS-open read API and a drop-in `<toa-servers>` Web Component (Shadow DOM, themeable) — render live status on any static site.
Opt-in public
Each server is private by default; flip `is_public` to surface it. Only flagged servers ever leave the gated config panel.
Discord alerts
Per-server alert rules (3 types) fire to Discord on state change, with a cooldown so you're not spammed.
Multi-tenant + private
Postgres row-level security isolates each site (FORCE RLS); the admin/config panel is single sign-on via toa://auth.
WHAT'S NEW
- added Public read API (
GET /api/public/v1/sites/{slug}/servers) — CORS-open, rate-limited (60/min per site+ip), returns onlyis_publicservers with sanitized latest status (no host/port/internal fields). - added
is_publicopt-in flag and optionalpublic_connectdisplay address per server. - added
<toa-servers>embeddable Web Component (Shadow DOM,--toasv-*token contract, auto-refresh) served from/embed/toa-servers.js. - added Superadmin site selection through the BFF (manage servers for multiple sites).
- changed
servers.toaweb.comdemoted from product to gated config panel, rebuilt on the canonical toa://.t-*console shell. - changed Edge now exposes only
/api/public,/embed,/health; gated routes stay behind the BFF. - security FORCE ROW LEVEL SECURITY on the tenant tables with an explicit
'*'sentinel for the sweep/retention/slug lookups — accidental owner-role queries now fail closed instead of leaking every site. (Full owner-side effect requires the owner DB role to be non-superuser.) - fixed Replaced the default Nuxt 404/500 with a toa://-styled error page.
- changed Database brought to POSTGRESQL_STANDARD: plural table names (
sites,servers,heartbeats,alert_rules,notification_logs),created_at/updated_aton every table with anupdate_updated_at()trigger, andidx_/fk_naming conventions. - changed API brought to FASTAPI_STANDARD: type hints on all signatures and
response_modelon the rule, heartbeat and settings routes. - changed Backend image brought to DOCKER_STANDARD:
uv+uv.lockfor reproducible builds; compose hardened (backendread_only+cap_drop+ resource limits, frontendcap_drop+ limits +depends_onhealthy). - fixed Migration now
GRANTs thetoaservers_approle explicitly, so DML survives table recreation (ALTER DEFAULT PRIVILEGESdoes not).
- fixed Discord alerts: corrected the async dependency and made the sweep resilient to dispatch failures (a failing webhook no longer aborts the tick).
- fixed Frontend design-standard compliance: monospace font, sharp corners, mobile-first layout, page metadata.
- fixed Completed the favicon set per FAVICON_STANDARD (SVG monogram, gaming/blue).
API