IgnazioDS · IgnazioDS · Mar 26, 2026 · chatgpt-codex-connector · Mar 26, 2026
diff --git a/.gitignore b/.gitignore
@@ -52,6 +52,7 @@ venv/
 *.dylib
 *.dll
 *.exe
+SentinelID_Audit_v*.pdf
 dist/
 build/
 output/

diff --git a/apps/admin/.eslintrc.json b/apps/admin/.eslintrc.json
@@ -0,0 +1,5 @@
+{
+  "extends": [
+    "next/core-web-vitals"
+  ]
+}
diff --git a/apps/admin/README.md b/apps/admin/README.md
@@ -0,0 +1,50 @@
+# SentinelID Admin
+
+This Next.js app is the Vercel deployment target for the SentinelID admin dashboard.
+
+## Vercel Setup
+
+Create a Vercel project with the repository connected and set the project root directory to `apps/admin`.
+
+Required environment variables:
+
+- `CLOUD_BASE_URL`: Absolute base URL for the SentinelID cloud API. Use the public HTTPS origin in production.
+- `ADMIN_API_TOKEN`: Server-side admin token injected by the proxy route.
+- `ADMIN_UI_USERNAME`: Login username for the admin dashboard.
+- `ADMIN_UI_PASSWORD_HASH` or `ADMIN_UI_PASSWORD_HASH_B64`: Bcrypt hash for the admin password. `ADMIN_UI_PASSWORD_HASH_B64` is the safer option when pasting values into hosted environments.
+- `ADMIN_UI_SESSION_SECRET`: Secret used to sign the HttpOnly admin session cookie.
+
+Optional environment variables:
+
+- `ADMIN_UI_SESSION_TTL_MINUTES`: Session duration in minutes. Defaults to `480`.
+- `ADMIN_UI_SESSION_SECURE`: Set to `1` in production to force secure cookies. On Vercel this can usually be omitted because HTTPS is detected from forwarded headers.
+- `NEXT_PUBLIC_CLOUD_BASE_URL`: Fallback only if `CLOUD_BASE_URL` is not set.
+
+## Local Verification
+
+```bash
+npm install
+npm run lint
+npm run build
+```
+
+## Deploy
+
+Recommended monorepo flow:
+
+```bash
+cd /path/to/SentinelID
+vercel link --repo
+```
+
+In the Vercel project settings, set the Root Directory to `apps/admin`. After that, deployments can run from the repository root with the linked project:
+
+```bash
+vercel
+```
+
+For production:
+
+```bash
+vercel --prod
+```
diff --git a/apps/admin/app/api/cloud/[...path]/route.ts b/apps/admin/app/api/cloud/[...path]/route.ts
@@ -3,12 +3,15 @@ import { getAdminServerConfig } from '../../../../lib/server-env';
 import { readSessionFromRequest } from '../../../../lib/session';
 
 export const runtime = 'nodejs';
+export const maxDuration = 60;
 
-function configErrorResponse() {
+function configErrorResponse(error: unknown) {
   return Response.json(
     {
       detail:
-        'Admin configuration missing CLOUD_BASE_URL (or NEXT_PUBLIC_CLOUD_BASE_URL fallback). Set it and restart admin.',
+        error instanceof Error
+          ? error.message
+          : 'Admin server configuration is invalid.',
     },
     { status: 500 }
   );
@@ -25,8 +28,8 @@ async function proxyRequest(request: NextRequest, context: { params: { path: str
   let config;
   try {
     config = getAdminServerConfig();
-  } catch {
-    return configErrorResponse();
+  } catch (error) {
+    return configErrorResponse(error);
   }
 
   const session = readSessionFromRequest(request, config.adminUiSessionSecret);

diff --git a/apps/admin/lib/server-env.ts b/apps/admin/lib/server-env.ts
@@ -19,6 +19,30 @@ function requireEnv(name: string): string {
   return value;
 }
 
+function resolveCloudBaseUrl(): string {
+  const rawValue =
+    process.env.CLOUD_BASE_URL || process.env.NEXT_PUBLIC_CLOUD_BASE_URL || '';
+  const cloudBaseUrl = stripWrappingQuotes(rawValue);
+  if (!cloudBaseUrl) {
+    throw new Error(
+      'Missing required env var: CLOUD_BASE_URL (or NEXT_PUBLIC_CLOUD_BASE_URL fallback).',
+    );
+  }
+
+  let parsed: URL;
+  try {
+    parsed = new URL(cloudBaseUrl);
+  } catch {
+    throw new Error('CLOUD_BASE_URL must be an absolute URL.');
+  }
+
+  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+    throw new Error('CLOUD_BASE_URL must use http or https.');
+  }
+
+  return parsed.toString().replace(/\/+$/, '');
+}
+
 export interface AdminServerConfig {
   cloudBaseUrl: string;
   adminApiToken: string;
@@ -59,21 +83,13 @@ function resolveAdminUiPasswordHash(): string {
 }
 
 export function getAdminServerConfig(): AdminServerConfig {
-  const cloudBaseUrl =
-    process.env.CLOUD_BASE_URL?.trim() || process.env.NEXT_PUBLIC_CLOUD_BASE_URL?.trim();
-  if (!cloudBaseUrl) {
-    throw new Error(
-      'Admin configuration missing CLOUD_BASE_URL (or NEXT_PUBLIC_CLOUD_BASE_URL fallback).',
-    );
-  }
-
   const ttlRaw = process.env.ADMIN_UI_SESSION_TTL_MINUTES?.trim();
   const parsedTtl = ttlRaw ? Number.parseInt(ttlRaw, 10) : DEFAULT_SESSION_TTL_MINUTES;
   const adminUiSessionTtlMinutes =
     Number.isFinite(parsedTtl) && parsedTtl > 0 ? parsedTtl : DEFAULT_SESSION_TTL_MINUTES;
 
   return {
-    cloudBaseUrl,
+    cloudBaseUrl: resolveCloudBaseUrl(),
     adminApiToken: requireEnv('ADMIN_API_TOKEN'),
     adminUiUsername: requireEnv('ADMIN_UI_USERNAME'),
     adminUiPasswordHash: resolveAdminUiPasswordHash(),
-Original file line number
+Diff line change
@@ Expand Up / @@ -52,6 +52,7 @@ venv/ @@
     *.dylib
     *.dll
     *.exe
+    SentinelID_Audit_v*.pdf
     dist/
     build/
     output/
@@ Expand Down @@