Dashboard Overview
The Suvra dashboard is a server-rendered enterprise UI shipped with the Control Plane. It exposes the same enforcement, approval, audit, and administration surfaces that the HTTP API provides, gated by the same RBAC permissions.
Access
- Open
https://<subdomain>.<clientdomain>(defaultsuvra.<yourdomain>) - First visit:
/dashboard/bootstrap-admincreates the first tenant admin - Subsequent visits:
/dashboard/loginauthenticates tenant users with email + password - Admin / bootstrap login still accepts the shared
SUVRA_AUTH_TOKENfor setup flows
CSRF is enforced on every POST /dashboard/* endpoint (including logout). A mode banner is shown when SUVRA_MODE != strict.
Overview page (/dashboard)
The home page is a command center with three zones plus a system health strip. Requires audit.read.
Onboarding banner — shown until the 5-step checklist is complete, with a progress bar and "Open checklist" link. Hidden automatically when all steps are done.
Zone 1 — Stat cards (4-column grid)
| Card | Content | Link |
|---|---|---|
| Actions Today | Total actions with allowed / denied / approval breakdown badges | — |
| Pending Approvals | Count with urgency color (green/amber/red) and contextual subtitle | /dashboard/approvals?status=pending |
| Active Agents | Agent count with anomaly count subtitle (when anomaly detection enabled) | /dashboard/agents |
| Policy Sync | Healthy / total node count with health badge; "Register a node" CTA when zero nodes | /dashboard/nodes |
Zone 2 — Two-column panel row
| Panel | Content |
|---|---|
| Recent Decisions (left) | Last ~10 decisions with badge (allowed/denied/approval), friendly action name, agent, and relative timestamp. Click through to audit detail. |
| Needs Your Attention (right) | Pending approval items with inline Approve / Deny buttons (gated on approvals.decide). Overflow links to the full approvals queue. |
Zone 3 — System health strip
Shows Control Plane status (Healthy/Degraded + version), node health summary (healthy/stale/offline counts), and policy last-updated timestamp.
Navigation
| Section | Path | What it shows |
|---|---|---|
| Home | /dashboard | KPI cards + recent activity |
| Onboarding | /dashboard/onboarding | First-run checklist derived from real tenant state |
| Policy | /dashboard/policy | SuvraPolicy global + agent policies, detail & edit |
| Policy Detail | /dashboard/policy/detail?policy_id=... | Per-policy rule cards, add/remove rules, assigned agents |
| Effective View | /dashboard/policy/effective?agent_id=... | Merged global + agent rules per agent |
| Rules Library | /dashboard/rules | 17 categories, 64 reusable rules, add-to-policy |
| Rule Builder | /dashboard/policy/rule-builder | Visual step-by-step rule creation with YAML preview |
| Simulator | /dashboard/simulate | Dry-run an action, see decision + policy stack + matched rule |
| Approvals | /dashboard/approvals | Pending / approved / denied / all tabs with approve+execute |
| Audit | /dashboard/audit | Full audit log with filters, detail drawer, timeline, CSV/JSON export |
| Agents | /dashboard/agents | Agent registry: edit metadata, bind policy/node, push refresh |
| Nodes | /dashboard/nodes | Registered nodes, derived health, push policy (one or all) |
| Users | /dashboard/users | Tenant users, invites, role assignment, suspend/disable |
| Compliance | /dashboard/compliance | Generate SOC2/NIST/ISO 27001 reports from audit data |
| License | /dashboard/billing | Plan, usage, license import / plan request |
| Account | /dashboard/account | Sessions and logout-all |
The active user, tenant, and resolved roles are shown in the dashboard header. Tabs and mutating controls are hidden when the signed-in principal lacks the required permission, and every route also enforces server-side authorization returning HTTP 403 on deny.
Onboarding checklist
/dashboard/onboarding is a 5-step first-run checklist derived from real tenant state — already-configured orgs are not pushed through onboarding again. After completion the checklist remains available but the overview banner disappears.
| # | Step | Done when |
|---|---|---|
| 1 | Create first admin user | An active admin role assignment exists for the tenant |
| 2 | Connect first agent | At least one agent is registered via integration or API |
| 3 | Review SuvraPolicy | A global policy is initialized |
| 4 | Run simulator example | A simulate event exists in the audit log |
| 5 | See audit log | Audit trail is populated after the simulation |
A "hosted control plane" fallback is available from the onboarding page for tenants that do not want to run their own node yet.
Explainability polish
Audit rows and approval details render buyer-friendly "why" summaries derived from the same structured decision trace the simulator and export endpoints produce. Pagination and export links omit inactive boolean filters so follow-up navigation stays stable.
License import
/dashboard/billing/import-license expects a signed license envelope by default (base64 Ed25519 signature over the canonical JSON license payload). SUVRA_LICENSE_VERIFY=0 disables verification for dev/testing. Use tools/license_keygen.py to generate Ed25519 key pairs and signed licenses.