alphaswarm-ui
The cloud-hosted, customer-facing operator dashboard. Auth-gated and multi-tenant; Auth0 (B2C) was the historic provider but the post-launcher-refactor surface is Entra-only — Auth0 has been purged from the SPA bundle.
The public marketing site is a sibling, separate repo —
alphaswarm-website at alpha-swarm.ai.
Identity
| Field | Value |
|---|---|
| Service id | alphaswarm-ui |
| Role | frontend |
| Package | alphaswarm_ui/ |
| Image (key) | ui |
| Built from | (not Dockerfile-based — typically Vercel / Cloudflare Pages SSR; AQPUI CR can also stand it up as a Deployment in a cluster) |
Wire
| Field | Value |
|---|---|
| Protocol | HTTP/1.1 + WebSocket |
| Port | 80 (container) / 3000 (Next.js dev) |
| Health | GET /api/healthz |
| Public URL | https://app.alpha-swarm.ai |
| Identity | Microsoft Entra (B2B SSO via MsalEntraProvider); local dev-stub gated by ALPHASWARM_AUTH_DEV_STUB=true (hard-disabled in production builds) |
Routes
| Route | Purpose |
|---|---|
/login, /signup, /onboarding/* | Provider-aware auth screens (Entra login + dev-stub) |
/dashboard, /strategies, /paper-runs, /backtests, /data, /ml, /agents, /workflows, /labs, /analytics, /research, /portfolio, /settings | Operator dashboard |
/api/auth/entra/login, /callback, /logout, /stepup | BFF route handlers — proxy to alphaswarm-cp /auth/* (Phase 3) |
/api/* | Other BFF proxies (tenancy-scoped, kill-switch fan-out) |
The marketing routes (/, /pricing, /docs, /legal, /about,
/blog, /changelog) moved out to the
alphaswarm_website repo as part of the
controller-launcher refactor.
Deployment surfaces
| Surface | Where |
|---|---|
| Hosted (canonical) | Cloudflare Pages or Vercel — pinned next >=14.2.25 for CVE-2025-29927 |
| Cluster (option) | AQPUI CR — Deployment + Service + Ingress |
| Identity provisioning | alphaswarm_platform/terraform/modules/alphaswarm_ui_identity/ |
Dependencies
Upstream (HTTP-only):
alphaswarm-cp(/auth/*,/manage/*) — every BFF route delegates here.alphaswarm-core(/api/*) — for tenancy-scoped business calls the BFF routes proxy.
Downstream:
- B2C and B2B users; multi-tenant via
EntraTenantLinkrows in the controller's database.
Operations
- Bundle pinning:
next >=14.2.25(CVE-2025-29927). - CSP: restricted to
manage.alpha-swarm.aiand the controller's*.alpha-swarm.aicell ingresses. - No client-side auth SDK: the SPA never reads an Entra token — only the BFF route handlers do.
- Dev-stub:
ALPHASWARM_AUTH_DEV_STUB=truewrites a Local Dev User session inline; thescripts/ci/check_alphaswarm_ui_no_auth0.pyguard fails on any new Auth0 reference.
See also
alphaswarm_ui/AGENTS.md— hard boundaries.alphaswarm-website.md— public marketing sibling.identity.md— Entra integration contract.