m4/org/openalice-passport-dashboard

openalice-passport-dashboard

Features
8
Status
·unknown
Last activity
1mo ago
Branch
main

Architecture rating

F1mo ago
data layerF

Pure API consumer with zero owned tables — acceptable for a dashboard — but 5 undeclared env vars (including API base URL and dev identity) mean data flows are untracked; no schema, no migrations, no GDPR evidence

consistencyF

68 format issues, 2 god modules, 1 duplicate signature; manifest absent (30/100), env drift 50/100 with 5 undeclared vars; overall Atlas quality grade D (63) with weakest dimension manifest

securityF

SHARED_JWT_SECRET and PASSPORT_DASHBOARD_DEV_TOKEN appear in env-drift as undeclared; 4 bare/broad excepts can swallow auth failures; no manifest-declared endpoints to audit for headers or rate-limiting; no evidence of SSRF/injection guards in a Next.js app that proxies to NEXT_PUBLIC_PASSPORT_API

reliabilityF

4 bare/broad excepts, max cyclomatic complexity 22, 3 complexity flags; no health endpoint (Atlas probe confirms 'no https endpoint in manifest exposes'); no evidence of timeouts, retries, or graceful shutdown in the Next.js server

observabilityF

Atlas health probe cannot reach the service; zero console statements suggest no structured logging either; no metrics, no tracing, no readiness/liveness probes configured

testingF

Single test file (src/lib/api.test.ts) covering 8 declared features; no coverage metrics; tsconfig.test.json exists but critical UI and auth paths are almost certainly untested

docsF

No manifest (manifest_present: false), empty README excerpt, 196 missing docstrings, roadmap score 30/100; no @feature annotations or architecture notes discoverable

source · auto-grader-2026-06-18

Code composition

tokei · loc
2.1kloc
  • TSX53.9%
  • CSS21.4%
  • TypeScript21.2%
  • JSON3.6%
  • TSX53.9%· 1,137
  • CSS21.4%· 452
  • TypeScript21.2%· 447
  • JSON3.6%· 75
Language% codecodecommentsblanksfiles
TSX53.9%1,1371189312
CSS21.4%45251472
TypeScript21.2%4471287310
JSON3.6%75003

Telemetry ribbon · last 90 days

3 events
MAYJUNJUL2026-06-17 · lifecycle · first scan — repo indexed2026-06-17 · commit · new commit 4becfa7 → f3230c92026-06-17 · commit · new commit f3230c9 → fc3cd1eNOW
commitmanifestlifecyclekind

passport-dashboard/console

2 features
  • passport-dashboard.console.actions
    src/app/console/actions.ts:4
    Server actions for the owner console: - revokeAction: POST /v1/passports/{pid}/revoke (JWT-gated) JWT is read from the pp_session HttpOnly cookie set at login.
  • passport-dashboard.console.issue.actions
    src/app/console/issue/actions.ts:4
    Server action for issuing a passport. POST /v1/identities/{id}/passports (JWT-gated) The identity_id is extracted from the JWT sub claim (the operator is attesting for their own identity, or a specific identity_id is passed). JWT is read from the pp_session cookie.

passport-dashboard/login

1 feature
  • passport-dashboard.login.actions
    src/app/login/actions.ts:4
    Server action for the owner console login. Validates credentials against NEXT_PUBLIC_PASSPORT_API's internal auth (or a configurable identity service). Sets the pp_session HttpOnly cookie on success and redirects to /console. NOTE: The openalice-passport API uses the same SHARED_JWT_SECRET (HS256) as the rest of the lab stack. The login form accepts a pre-minted JWT directly (dev workflow) OR issues one via a future /v1/auth endpoint. For the MVP console, the operator pastes their JWT directly (same pattern as the alice-cli workflow). A full user/password flow is a follow-up.

passport-dashboard/middleware

1 feature
  • passport-dashboard.middleware.auth-guard
    src/middleware.ts:2
    Guards the /console/* owner routes — requires a live pp_session cookie. /verify and /login are always public. Runs on Edge runtime; no signature verification here (passport API does that).

passport-dashboard/page

4 features
  • passport-dashboard.page.console
    src/app/console/page.tsx:2
    Owner console home — lists the authenticated identity's issued passports and offers a look-up-by-ID tool for any passport. Wires: - GET /v1/identities/{id}/passports (via listPassports — owner's issued list) - GET /v1/passports/{pid}/verify (via ConsoleLookup — any passport by id) The issued-passports list is fetched server-side using the JWT from the pp_session cookie; the identity is taken from the token claims. If the token is missing or the API is unreachable the page degrades gracefully to the look-up tool rather than failing the render.
  • passport-dashboard.page.console.issue
    src/app/console/issue/page.tsx:2
    Issue a new identity passport for a component. Wires: POST /v1/identities/{id}/passports (via issueAction server action) Fields: - identity_id (optional — defaults to JWT sub) - component (soul | memory | voice | visual | genome) - manifest_hash (blake3:<hex>) - provenance.source - provenance.consent_kind - provenance.when (ISO 8601) - vault_version (default 1)
  • passport-dashboard.page.login
    src/app/login/page.tsx:2
    Owner console sign-in — split brand panel (dark-sakura) + JWT paste form. MVP: operators paste a pre-minted JWT (matching the SHARED_JWT_SECRET used by openalice-passport). No email/password UI yet — that's a follow-up. This matches the development workflow of the rest of the lab stack. Wires: loginAction (server action — sets pp_session cookie, redirects to /console)
  • passport-dashboard.page.verify
    src/app/verify/page.tsx:2
    PUBLIC identity passport verification portal — no login required. Anyone (regulators, users, journalists) can paste a passport ID and receive an immediate, honest verdict on whether the credential is genuine, revoked, or unknown. What a passport attests: - WHAT component was captured (soul, memory, voice, visual, genome) - WHERE it came from (provenance source) - WHEN consent was given and by whom (consent_kind, timestamp) - WHO issued the credential (OpenAlice authority key) - THAT the component manifest has not been tampered with (BLAKE3 hash + Ed25519 sig) Honest-claims (rendered as trust chips): - W3C VC 2.0 compliant credential format - Ed25519Signature2020 — issuer signs the credential, not a blockchain - C2PA-compatible provenance — deterrent, not enforcement chain - No blockchain, no tokens, no NFTs involved Wires: GET /v1/passports/{pid}/verify (openalice-passport API, NEXT_PUBLIC_PASSPORT_API)