openalice-passport-dashboard
Architecture rating
Pure API consumer with zero owned tables — acceptable for a dashboard — but 5 undeclared env vars (including API base URL and dev identity) mean data flows are untracked; no schema, no migrations, no GDPR evidence
68 format issues, 2 god modules, 1 duplicate signature; manifest absent (30/100), env drift 50/100 with 5 undeclared vars; overall Atlas quality grade D (63) with weakest dimension manifest
SHARED_JWT_SECRET and PASSPORT_DASHBOARD_DEV_TOKEN appear in env-drift as undeclared; 4 bare/broad excepts can swallow auth failures; no manifest-declared endpoints to audit for headers or rate-limiting; no evidence of SSRF/injection guards in a Next.js app that proxies to NEXT_PUBLIC_PASSPORT_API
4 bare/broad excepts, max cyclomatic complexity 22, 3 complexity flags; no health endpoint (Atlas probe confirms 'no https endpoint in manifest exposes'); no evidence of timeouts, retries, or graceful shutdown in the Next.js server
Atlas health probe cannot reach the service; zero console statements suggest no structured logging either; no metrics, no tracing, no readiness/liveness probes configured
Single test file (src/lib/api.test.ts) covering 8 declared features; no coverage metrics; tsconfig.test.json exists but critical UI and auth paths are almost certainly untested
No manifest (manifest_present: false), empty README excerpt, 196 missing docstrings, roadmap score 30/100; no @feature annotations or architecture notes discoverable
source · auto-grader-2026-06-18
Code composition
tokei · loc- TSX53.9%
- CSS21.4%
- TypeScript21.2%
- JSON3.6%
- TSX53.9%
- CSS21.4%
- TypeScript21.2%
- JSON3.6%
- TSX53.9%· 1,137
- CSS21.4%· 452
- TypeScript21.2%· 447
- JSON3.6%· 75
| Language | % code | code | comments | blanks | files |
|---|---|---|---|---|---|
| TSX | 53.9% | 1,137 | 118 | 93 | 12 |
| CSS | 21.4% | 452 | 51 | 47 | 2 |
| TypeScript | 21.2% | 447 | 128 | 73 | 10 |
| JSON | 3.6% | 75 | 0 | 0 | 3 |
Telemetry ribbon · last 90 days
3 eventspassport-dashboard/console
2 features- passport-dashboard.console.actionssrc/app/console/actions.ts:4Server actions for the owner console: - revokeAction: POST /v1/passports/{pid}/revoke (JWT-gated) JWT is read from the pp_session HttpOnly cookie set at login.
- passport-dashboard.console.issue.actionssrc/app/console/issue/actions.ts:4Server action for issuing a passport. POST /v1/identities/{id}/passports (JWT-gated) The identity_id is extracted from the JWT sub claim (the operator is attesting for their own identity, or a specific identity_id is passed). JWT is read from the pp_session cookie.
passport-dashboard/login
1 feature- passport-dashboard.login.actionssrc/app/login/actions.ts:4Server action for the owner console login. Validates credentials against NEXT_PUBLIC_PASSPORT_API's internal auth (or a configurable identity service). Sets the pp_session HttpOnly cookie on success and redirects to /console. NOTE: The openalice-passport API uses the same SHARED_JWT_SECRET (HS256) as the rest of the lab stack. The login form accepts a pre-minted JWT directly (dev workflow) OR issues one via a future /v1/auth endpoint. For the MVP console, the operator pastes their JWT directly (same pattern as the alice-cli workflow). A full user/password flow is a follow-up.
passport-dashboard/middleware
1 feature- passport-dashboard.middleware.auth-guardsrc/middleware.ts:2Guards the /console/* owner routes — requires a live pp_session cookie. /verify and /login are always public. Runs on Edge runtime; no signature verification here (passport API does that).
passport-dashboard/page
4 features- passport-dashboard.page.consolesrc/app/console/page.tsx:2Owner console home — lists the authenticated identity's issued passports and offers a look-up-by-ID tool for any passport. Wires: - GET /v1/identities/{id}/passports (via listPassports — owner's issued list) - GET /v1/passports/{pid}/verify (via ConsoleLookup — any passport by id) The issued-passports list is fetched server-side using the JWT from the pp_session cookie; the identity is taken from the token claims. If the token is missing or the API is unreachable the page degrades gracefully to the look-up tool rather than failing the render.
- passport-dashboard.page.console.issuesrc/app/console/issue/page.tsx:2Issue a new identity passport for a component. Wires: POST /v1/identities/{id}/passports (via issueAction server action) Fields: - identity_id (optional — defaults to JWT sub) - component (soul | memory | voice | visual | genome) - manifest_hash (blake3:<hex>) - provenance.source - provenance.consent_kind - provenance.when (ISO 8601) - vault_version (default 1)
- passport-dashboard.page.loginsrc/app/login/page.tsx:2Owner console sign-in — split brand panel (dark-sakura) + JWT paste form. MVP: operators paste a pre-minted JWT (matching the SHARED_JWT_SECRET used by openalice-passport). No email/password UI yet — that's a follow-up. This matches the development workflow of the rest of the lab stack. Wires: loginAction (server action — sets pp_session cookie, redirects to /console)
- passport-dashboard.page.verifysrc/app/verify/page.tsx:2PUBLIC identity passport verification portal — no login required. Anyone (regulators, users, journalists) can paste a passport ID and receive an immediate, honest verdict on whether the credential is genuine, revoked, or unknown. What a passport attests: - WHAT component was captured (soul, memory, voice, visual, genome) - WHERE it came from (provenance source) - WHEN consent was given and by whom (consent_kind, timestamp) - WHO issued the credential (OpenAlice authority key) - THAT the component manifest has not been tampered with (BLAKE3 hash + Ed25519 sig) Honest-claims (rendered as trust chips): - W3C VC 2.0 compliant credential format - Ed25519Signature2020 — issuer signs the credential, not a blockchain - C2PA-compatible provenance — deterrent, not enforcement chain - No blockchain, no tokens, no NFTs involved Wires: GET /v1/passports/{pid}/verify (openalice-passport API, NEXT_PUBLIC_PASSPORT_API)