How hive works
the mechanics behind hive's portal: the backend-for-frontend proxy that federates the apiary stack, the landing gate, and how health flows from doctor.
hive is a portal daemon with a server-side proxy. the browser only talks to hive, hive resolves which daemon owns a request and fetches it over loopback, so no daemon port is ever handed to a browser. health comes from doctor, not from hive probing services itself.
The short version: your browser only ever talks to hive. hive talks to everything else on your behalf, over your own machine's loopback. Here's the mechanics underneath that.
#One address, one origin
hive binds to 127.0.0.1:3853, hard-pinned with no way to override the host or port. The dashboard itself is a single-page app that hive owns and serves. Every page you visit, memories, projects, graphs, sync, logs, ROI, settings, comes from that one origin.
#The proxy that stands in for every daemon
Your browser makes requests only to hive, never directly to honeycomb, doctor, or nectar. When a request comes in for /api/* or /setup/*, hive's server figures out which daemon actually owns it and fetches it over local loopback on your behalf. The routing is simple: nectar owns the code-graph paths, honeycomb owns everything else.
This matters for two reasons. First, no daemon ever needs to handle a request from a different origin, which is a whole category of browser security header work that simply doesn't exist here. Second, no daemon's port is ever exposed to your browser directly, hive is the only address your browser knows about.
#Health comes from doctor, not from hive
hive doesn't probe the other daemons itself. doctor already does that, every 30 seconds, and hive reads doctor's health feed instead of duplicating the work. hive relays that feed to your browser as a live stream, so the health rail and the readiness screen update in real time without hive running its own health checks.
Five states come out of that feed: starting, warming, active, degraded, and error. Each one maps to a distinct bee icon, so status reads by shape, not just color.
#The landing gate
Before serving any page, hive runs a gate: health first, then sign-in. If the stack isn't healthy yet, you're redirected to the readiness screen. If you're not signed in, you're redirected to sign-in. Otherwise the page loads normally. The gate fails closed, any hiccup in the auth check sends you to sign-in rather than letting a request through by accident, and the redirect targets are fixed, not built from anything in the request, so there's no way to trick it into redirecting somewhere unexpected.
#Sign-in without a credential of its own
hive doesn't mint or store any credential. "Signed in" is really honeycomb's authenticated state, which reflects whether a credentials file exists on your machine. hive reads that state and never writes it. When it proxies a request, it forwards your browser's own headers along, minus a small set that shouldn't cross a hop.
#Staying up when something else is down
doctor checks hive's own health every 30 seconds too and restarts it on a crash, the same as any other daemon in the fleet. hive also guards against running twice on the same machine: it holds a lock file, and if a second copy tries to start while the lock is held by a live process, it exits cleanly instead of fighting the first one. If the lock is left behind by a process that's already dead, hive reclaims it rather than getting stuck.
#Degrading one panel, not the page
If a service behind the dashboard goes down, only the panel that depends on it goes into an "unreachable" state. The rest of the dashboard keeps working normally, because each panel's data comes from an independent piece of the proxy, not from one big all-or-nothing fetch. The panel recovers on its own once doctor brings the service back.
#Common questions
Why can't my browser just talk to honeycomb or nectar directly? It could, technically, but then every daemon would need to handle cross-origin requests safely, and your browser would need to know every port on the stack. Routing everything through one proxy removes that whole surface.
Does hive check daemon health on its own? No. doctor is the single source of truth for fleet health. hive reads doctor's feed and relays it, it doesn't run its own probes.
What happens if I open two instances of hive on the same machine? The second one detects the first is running via a lock file and exits cleanly instead of conflicting with it.