# openalice-passport-dashboard
## At a glance
| field | value |
|---|---|
| kind | `product` |
| priority | `—` |
| default branch | `main` |
| last activity | 2026-06-17T17:47:17+00:00 |
| features catalogued | **8** |
| runtime deps declared | **0** |

## Env drift

**Code reads, manifest omits (5):**
- `NEXT_PUBLIC_PASSPORT_API`
- `OA_NEXT_DIST_DIR`
- `PASSPORT_DASHBOARD_DEV_TOKEN`
- `PASSPORT_DEV_IDENTITY_ID`
- `SHARED_JWT_SECRET`

## Features (8)

### passport-dashboard/console
- **`passport-dashboard.console.actions`** — Server actions for the owner console: - revokeAction: POST /v1/passports/{pid}/revoke (JWT-gated) JWT is read from the pp_session HttpOnly cookie set at login.  
  *src/app/console/actions.ts:4*
- **`passport-dashboard.console.issue.actions`** — Server action for issuing a passport. POST /v1/identities/{id}/passports (JWT-gated) The identity_id is extracted from the JWT sub claim (the operator is attesting for their own identity, or a specific identity_id is passed). JWT is read from the pp_session cookie.  
  *src/app/console/issue/actions.ts:4*

### passport-dashboard/login
- **`passport-dashboard.login.actions`** — Server action for the owner console login. Validates credentials against NEXT_PUBLIC_PASSPORT_API's internal auth (or a configurable identity service). Sets the pp_session HttpOnly cookie on success and redirects to /console. NOTE: The openalice-passport API uses the same SHARED_JWT_SECRET (HS256) as the rest of the lab stack. The login form accepts a pre-minted JWT directly (dev workflow) OR issues one via a future /v1/auth endpoint. For the MVP console, the operator pastes their JWT directly (same pattern as the alice-cli workflow). A full user/password flow is a follow-up.  
  *src/app/login/actions.ts:4*

### passport-dashboard/middleware
- **`passport-dashboard.middleware.auth-guard`** — Guards the /console/* owner routes — requires a live pp_session cookie. /verify and /login are always public. Runs on Edge runtime; no signature verification here (passport API does that).  
  *src/middleware.ts:2*

### passport-dashboard/page
- **`passport-dashboard.page.console`** — Owner console home — lists the authenticated identity's issued passports and offers a look-up-by-ID tool for any passport. Wires: - GET /v1/identities/{id}/passports (via listPassports — owner's issued list) - GET /v1/passports/{pid}/verify    (via ConsoleLookup — any passport by id) The issued-passports list is fetched server-side using the JWT from the pp_session cookie; the identity is taken from the token claims. If the token is missing or the API is unreachable the page degrades gracefully to the look-up tool rather than failing the render.  
  *src/app/console/page.tsx:2*
- **`passport-dashboard.page.console.issue`** — Issue a new identity passport for a component. Wires: POST /v1/identities/{id}/passports (via issueAction server action) Fields: - identity_id (optional — defaults to JWT sub) - component (soul | memory | voice | visual | genome) - manifest_hash (blake3:<hex>) - provenance.source - provenance.consent_kind - provenance.when (ISO 8601) - vault_version (default 1)  
  *src/app/console/issue/page.tsx:2*
- **`passport-dashboard.page.login`** — Owner console sign-in — split brand panel (dark-sakura) + JWT paste form. MVP: operators paste a pre-minted JWT (matching the SHARED_JWT_SECRET used by openalice-passport). No email/password UI yet — that's a follow-up. This matches the development workflow of the rest of the lab stack. Wires: loginAction (server action — sets pp_session cookie, redirects to /console)  
  *src/app/login/page.tsx:2*
- **`passport-dashboard.page.verify`** — PUBLIC identity passport verification portal — no login required. Anyone (regulators, users, journalists) can paste a passport ID and receive an immediate, honest verdict on whether the credential is genuine, revoked, or unknown. What a passport attests: - WHAT component was captured (soul, memory, voice, visual, genome) - WHERE it came from (provenance source) - WHEN consent was given and by whom (consent_kind, timestamp) - WHO issued the credential (OpenAlice authority key) - THAT the component manifest has not been tampered with (BLAKE3 hash + Ed25519 sig) Honest-claims (rendered as trust chips): - W3C VC 2.0 compliant credential format - Ed25519Signature2020 — issuer signs the credential, not a blockchain - C2PA-compatible provenance — deterrent, not enforcement chain - No blockchain, no tokens, no NFTs involved Wires: GET /v1/passports/{pid}/verify (openalice-passport API, NEXT_PUBLIC_PASSPORT_API)  
  *src/app/verify/page.tsx:2*

---

*Generated by [openalice-atlas](https://atlas.blal.pro) — single source of truth for the openalicelabs ecosystem.*
