Dashboard Overview
The Suvra dashboard is a server-rendered enterprise UI shipped with the Control Plane. It exposes the same enforcement, approval, audit, and administration surfaces that the HTTP API provides, gated by the same RBAC permissions.
Access
- Open
https://<subdomain>.<clientdomain>(defaultsuvra.<yourdomain>) - First visit:
/dashboard/bootstrap-admincreates the first tenant admin - Subsequent visits:
/dashboard/loginauthenticates tenant users with email + password - Admin / bootstrap login still accepts the shared
SUVRA_AUTH_TOKENfor setup flows
CSRF is enforced on every POST /dashboard/* endpoint (including logout). A mode banner is shown when SUVRA_MODE != strict.
Overview page (/dashboard)
The home page shows four KPI cards plus a recent-activity feed. Requires audit.read.
KPI cards
| Card | Source | Link |
|---|---|---|
| Total Events | Audit event count for the active tenant | — |
| Pending Approvals | Open approval requests | /dashboard/approvals?status=pending |
| Allows | allow decision count | — |
| Denies | deny decision count | — |
Recent Activity — last ~10 events with columns: Time, Actor, Action, Target, Decision badge, Status badge. Click Detail to open the same decision-trace drawer used in Audit Explorer.
Onboarding banner — shown until the 5-step checklist is complete, then hidden automatically.
Navigation
| Section | Path | What it shows |
|---|---|---|
| Home | /dashboard | KPI cards + recent activity |
| Onboarding | /dashboard/onboarding | First-run checklist derived from real tenant state |
| Policy | /dashboard/policy | SuvraPolicy global + agent policies, detail & edit |
| Policy Detail | /dashboard/policy/detail?policy_id=... | Per-policy rule cards, add/remove rules, assigned agents |
| Effective View | /dashboard/policy/effective?agent_id=... | Merged global + agent rules per agent |
| Rules Library | /dashboard/rules | 17 categories, 64 reusable rules, add-to-policy |
| Simulator | /dashboard/simulate | Dry-run an action, see decision + policy stack + matched rule |
| Approvals | /dashboard/approvals | Pending / approved / denied / all tabs with approve+execute |
| Audit | /dashboard/audit | Full audit log with filters, rollback, CSV / JSON export |
| Agents | /dashboard/agents | Agent registry: edit metadata, bind policy/node, push refresh |
| Nodes | /dashboard/nodes | Registered nodes, derived health, push policy (one or all) |
| Users | /dashboard/users | Tenant users, invites, role assignment, suspend/disable |
| License | /dashboard/billing | Plan, usage, license import / plan request |
| Account | /dashboard/account | Sessions and logout-all |
The active user, tenant, and resolved roles are shown in the dashboard header. Tabs and mutating controls are hidden when the signed-in principal lacks the required permission, and every route also enforces server-side authorization returning HTTP 403 on deny.
Onboarding checklist
/dashboard/onboarding is a 5-step first-run checklist derived from real tenant state — already-configured orgs are not pushed through onboarding again. After completion the checklist remains available but the overview banner disappears.
| # | Step | Done when |
|---|---|---|
| 1 | Create first admin user | An active admin role assignment exists for the tenant |
| 2 | Connect first agent | At least one agent is registered via integration or API |
| 3 | Review SuvraPolicy | A global policy is initialized |
| 4 | Run simulator example | A simulate event exists in the audit log |
| 5 | See audit log | Audit trail is populated after the simulation |
A "hosted control plane" fallback is available from the onboarding page for tenants that do not want to run their own node yet.
Explainability polish
Audit rows and approval details render buyer-friendly "why" summaries derived from the same structured decision trace the simulator and export endpoints produce. Pagination and export links omit inactive boolean filters so follow-up navigation stays stable.
License import
/dashboard/billing/import-license expects a signed license envelope by default (base64 Ed25519 signature over the canonical JSON license payload). SUVRA_LICENSE_VERIFY=0 disables verification for dev/testing. Use tools/license_keygen.py to generate Ed25519 key pairs and signed licenses.