Public documentation for governed AI labor
SDKs/Governance/Connectors
Arx / Docs / ARX Dashboard

Documentation

ARX Dashboard

Project-Agent-trust-merge / arxsec-api/frontend/README.md

Project-Agent-trust-merge frontend arxsec-api/frontend/README.md

The Next.js (App Router) frontend for the ARX control plane. Provides the authenticated dashboard surfaces for governance, supervision, audit, and agent lifecycle, plus the public auth flow.

> Heads-up for contributors: read AGENTS.md before > writing code. This project tracks the latest Next.js — APIs and > conventions diverge from older training data.

Stack

  • Next.js 16 (App Router) + React 19
  • TypeScript 5
  • Tailwind CSS v4
  • Supabase auth (@supabase/ssr) — JWT issued by Supabase, forwarded to

the FastAPI control plane

Prerequisites

  • Node 22+ (matches Dockerfile.frontend)
  • npm (the repo commits package-lock.json)
  • arxsec-api reachable at the URL the client is configured against

(see Environment)

Setup

``bash cp .env.example .env.local # fill in Supabase keys npm install npm run dev # http://localhost:3000 ``

Scripts

| Command | What it does | |---|---| | npm run dev | Start the dev server on :3000 | | npm run build | Production build | | npm run start | Run the production build | | npm run lint | ESLint (eslint-config-next) |

Environment

Required (see .env.example):

| Var | Purpose | |---|---| | NEXT_PUBLIC_SUPABASE_URL | Supabase project URL | | NEXT_PUBLIC_SUPABASE_ANON_KEY | Supabase anon key | | NEXT_PUBLIC_API_URL | Control-plane base URL (currently superseded — see note below) |

> Note on NEXT_PUBLIC_API_URL: the API client in > src/lib/api.ts currently hardcodes the base URL > to https://api.arxsec.io because a misconfigured GitHub secret > would otherwise be baked into the build at compile time. If you > point the dashboard at a non-prod control plane, edit API_BASE > in that file.

Optional auth rate-limit tuning (see src/lib/login-rate-limit.ts):

| Var | Default | |---|---| | AUTH_PASSWORD_MAX_ATTEMPTS_PER_IP | 20 | | AUTH_PASSWORD_WINDOW_MS | 900000 (15 min) | | AUTH_OAUTH_INIT_MAX_PER_IP | 40 | | AUTH_OAUTH_INIT_WINDOW_MS | 3600000 (1 hr) | | AUTH_OAUTH_CALLBACK_MAX_PER_IP | 60 | | AUTH_OAUTH_CALLBACK_WINDOW_MS | 3600000 (1 hr) | | NEXT_PUBLIC_APP_URL | Used to compute the canonical redirect origin |

Layout

`` src/ ├── app/ │ ├── (auth)/ login, signup, OAuth callback │ ├── (dashboard)/ 17 governance surfaces (see below) │ ├── (legal)/ privacy, terms │ ├── assessment/ standalone maturity assessment │ ├── blog/ blog │ ├── dashboard/ dashboard entry │ ├── layout.tsx │ └── page.tsx marketing landing ├── components/ shared UI (sidebar, theme, policy editor, …) ├── hooks/ React hooks ├── lib/ api client, Supabase helpers, rate limiting └── middleware.ts Supabase session refresh + auth gating ``

Dashboard route groups under src/app/(dashboard)/: agents, approvals, audit, compliance, connectors, docs, integrations, members, notifications, onboarding, overview, policies, registry, runs, sdk, secrets, settings.

Auth model

Supabase issues the user JWT on login. middleware.ts refreshes the session on every request via @supabase/ssr. The API client (src/lib/api.ts) attaches the JWT as a Bearer token on every call to the control plane; the FastAPI side validates and maps to the workforce identity model.

There is no Next.js app/api/ BFF layer — pages call the control plane directly through the typed client.

Deploy

Containerized via ../../Dockerfile.frontend (Node 22, multi-stage, standalone output). The NEXT_PUBLIC_* vars are build-args because Next.js inlines them at build time.