feat: add static Next.js dashboard

.github/workflows/publish-rc.yml

@@ -22,13 +22,26 @@ jobs:
 
       - uses: astral-sh/setup-uv@v7
 
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: "24"
+          cache: "pnpm"
+          cache-dependency-path: ui/pnpm-lock.yaml
+
+      - name: Enable pnpm
+        run: corepack enable
+
       - name: Compute RC version
         run: |
           CURRENT=$(grep '^version = ' pyproject.toml | sed 's/version = "//;s/"//')
           BASE=$(echo "$CURRENT" | sed 's/rc[0-9]*$//')
           RC_VERSION="${BASE}rc${{ github.run_number }}"
           sed -i "s/^version = \".*\"/version = \"${RC_VERSION}\"/" pyproject.toml
 
+      - name: Build static UI
+        run: ./scripts/build-ui.sh
+
       - name: Build
         run: uv build
 

.github/workflows/publish.yml

@@ -17,6 +17,19 @@ jobs:
 
       - uses: astral-sh/setup-uv@v7
 
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: "24"
+          cache: "pnpm"
+          cache-dependency-path: ui/pnpm-lock.yaml
+
+      - name: Enable pnpm
+        run: corepack enable
+
+      - name: Build static UI
+        run: ./scripts/build-ui.sh
+
       - name: Build distributions
         run: uv build
 

.github/workflows/test.yml

@@ -13,29 +13,47 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-
+
+      - uses: astral-sh/setup-uv@v7
+
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
           python-version: "3.13"
           cache: "pip"
-
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 10
+
+      - name: Set up Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: "24"
+          cache: "pnpm"
+          cache-dependency-path: ui/pnpm-lock.yaml
+
       - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -e ".[dev]"
+        run: uv pip install --system -e ".[dev]"
+
+      - name: Build static UI
+        run: ./scripts/build-ui.sh
+
+      - name: Lint static UI
+        run: uv run pnpm --dir ui lint
 
       - name: Lint with ruff
         run: |
-          ruff check src/ tests/
-          ruff format --check src/ tests/
-          
+          uv run ruff check src/ tests/
+          uv run ruff format --check src/ tests/
+
       - name: Type check with ty
-        run: ty check src/
-          
+        run: uv run ty check src/
+
       - name: Run tests with coverage
-        run: pytest --cov=authsome --cov-report=xml --cov-report=term -p no:xdist
-        
+        run: uv run pytest --cov=authsome --cov-report=xml --cov-report=term -p no:xdist
+
       - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@v6
         with:

.gitignore

@@ -15,6 +15,8 @@ downloads/
 eggs/
 .eggs/
 lib/
+!ui/src/lib/
+!ui/src/lib/**
 lib64/
 parts/
 sdist/
@@ -204,6 +206,10 @@ cython_debug/
 # Ruff stuff:
 .ruff_cache/
 
+# Generated static dashboard bundle
+src/authsome/ui/web/*
+!src/authsome/ui/web/.gitkeep
+
 # PyPI configuration file
 .pypirc
 
@@ -252,4 +258,7 @@ __marimo__/
 docs/superpowers/
 
 # Authsome skill (generated at eval time)
-.claude/skills/authsome/
+.claude/skills/authsome/
+
+/tmp
+/results

docs/site/concepts/provider-registry.mdx

@@ -42,7 +42,7 @@ Every provider definition declares:
 - An optional `api_url` for proxy routing.
 - An optional `export.env` map describing which environment variables hold which credential fields.
 
-For full templates and the field-by-field schema, see [Provider schema](/reference/provider-schema). For a worked OAuth example using GitHub, see [GitHub integration](/integrations/oauth/github). For an API-key example using OpenAI, see [OpenAI integration](/integrations/api-key/openai).
+For full templates and the field-by-field schema. For a worked OAuth example using GitHub, see [GitHub integration](/integrations/oauth/github). For an API-key example using OpenAI, see [OpenAI integration](/integrations/api-key/openai).
 
 ## Bundled providers do not imply bundled credentials
 

docs/site/docs.json

@@ -9,20 +9,28 @@
   "favicon": "/favicon.svg",
   "description": "Local credential broker for AI agents. Log in once via OAuth2 or API key. Authsome keeps tokens fresh and injects them at runtime.",
   "colors": {
-    "primary": "#83CA16",
-    "light": "#A3E635",
-    "dark": "#65A30D"
+    "primary": "#10B981",
+    "light": "#4EDEA3",
+    "dark": "#059669"
   },
   "background": {
     "color": {
       "light": "#FFFFFF",
-      "dark": "#0A0A0A"
+      "dark": "#09090B"
     }
   },
   "appearance": {
     "default": "dark",
     "strict": false
   },
+  "font": {
+    "headings": {
+      "family": "Hanken Grotesk"
+    },
+    "body": {
+      "family": "Hanken Grotesk"
+    }
+  },
   "banner": {
     "content": "Authsome is in active development. [Star us on GitHub](https://github.com/agentrhq/authsome) to follow along.",
     "dismissible": true

docs/site/guides/custom-providers.mdx

@@ -139,7 +139,7 @@ Pick a template based on the auth type.
 | `device_code` | Headless OAuth2. User enters a code on a separate device. Needs `client_id`. |
 | `api_key` | Single secret with a header. Optional `env_var` for scripted setup. |
 
-For the full schema with every supported field, see the [Provider schema reference](/reference/provider-schema).
+Every supported field is listed in the JSON templates above.
 
 ## Step 4: Register the provider
 
@@ -198,9 +198,6 @@ authsome list   # github now shows source=custom
 ## What's next
 
 <Columns cols={2}>
-  <Card title="Provider schema" icon="file-code" href="/reference/provider-schema">
-    Every field in a provider definition.
-  </Card>
   <Card title="Provider registry" icon="folder-tree" href="/concepts/provider-registry">
     How resolution and overrides work.
   </Card>

docs/site/installation.mdx

@@ -113,7 +113,6 @@ export AUTHSOME_HOME=/var/lib/authsome
 authsome init
 ```
 
-See [Filesystem layout](/reference/file-layout) for the full directory model.
 
 ## Choose the encryption backend
 

docs/site/integrations/agents/claude-code.mdx

@@ -153,13 +153,12 @@ Claude runs:
 authsome get github --connection work --field access_token --show-secret
 ```
 
-For the underlying model, see [Profiles vs connections](/concepts/profiles-vs-connections).
 
 ## What the skill cannot do
 
 - **It cannot type a `client_secret` for you.** Authsome refuses sensitive values as command-line arguments. The browser bridge is the only path.
 - **It cannot bypass the proxy CA requirement.** HTTPS interception needs the mitmproxy CA trusted on the machine. The first `authsome run` writes the CA to `~/.mitmproxy/`. See [Proxy networking](/troubleshooting/proxy-networking).
-- **It cannot share the vault across machines.** Claude Code on a second machine has its own `~/.authsome/`. Re-run logins there, or use a hosted daemon (see [Hosted deployment model](/security/hosted-deployment)).
+- **It cannot share the vault across machines.** Claude Code on a second machine has its own `~/.authsome/`. Re-run logins there.
 
 ## Troubleshooting
 

docs/site/integrations/agents/cowork.mdx

@@ -29,7 +29,6 @@ auth.create_profile("pr-bot", description="Auto-PR agent")
 auth.create_profile("reviewer", description="Code review agent")
 ```
 
-See [Profiles](/guides/profiles) and [Profiles vs connections](/concepts/profiles-vs-connections).
 
 ## Run each agent under its own proxy
 
@@ -56,13 +55,3 @@ Each agent's HTTP_PROXY points at a different daemon instance, each backed by a
 | Two agents accidentally share credentials | They're using the same `AUTHSOME_HOME`. Split them. |
 | Port 7998 conflicts | Each `AUTHSOME_HOME` starts its own daemon on its own ephemeral port. Confirm with `lsof -i`. |
 
-## What's next
-
-<Columns cols={2}>
-  <Card title="Profiles" icon="layer-group" href="/guides/profiles">
-    How profiles work and how to create them.
-  </Card>
-  <Card title="Profiles vs connections" icon="users" href="/concepts/profiles-vs-connections">
-    Pick the right isolation level.
-  </Card>
-</Columns>

docs/site/integrations/agents/hermes.mdx

@@ -111,7 +111,7 @@ Read it back:
 Use the work GitHub connection to open a PR.
 ```
 
-Hermes runs the agent under `authsome run --connection work -- ...`. For the underlying model, see [Profiles vs connections](/concepts/profiles-vs-connections).
+Hermes runs the agent under `authsome run --connection work -- ...`.
 
 ## Without the skill
 
@@ -136,7 +136,7 @@ See [Run agents with the proxy](/guides/run-agents-with-proxy) and [Python libra
 
 - **It cannot type a `client_secret` for you.** Authsome refuses sensitive values as command-line arguments. The browser bridge is the only path.
 - **It cannot bypass the proxy CA requirement.** HTTPS interception needs the mitmproxy CA trusted on the machine. The first `authsome run` writes the CA to `~/.mitmproxy/`. See [Proxy networking](/troubleshooting/proxy-networking).
-- **It cannot share the vault across machines.** Hermes on a second machine has its own `~/.authsome/`. Re-run logins there, or use a hosted daemon (see [Hosted deployment model](/security/hosted-deployment)).
+- **It cannot share the vault across machines.** Hermes on a second machine has its own `~/.authsome/`. Re-run logins there.
 
 ## Troubleshooting
 

docs/site/integrations/api-key/ahrefs.mdx

@@ -97,7 +97,6 @@ authsome inspect ahrefs > ~/.authsome/providers/ahrefs.json
 authsome list   # source now shows "custom" for ahrefs
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/apollo.mdx

@@ -97,7 +97,6 @@ authsome inspect apollo > ~/.authsome/providers/apollo.json
 authsome list   # source now shows "custom" for apollo
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/ashby.mdx

@@ -97,7 +97,6 @@ authsome inspect ashby > ~/.authsome/providers/ashby.json
 authsome list   # source now shows "custom" for ashby
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/beehiiv.mdx

@@ -97,7 +97,6 @@ authsome inspect beehiiv > ~/.authsome/providers/beehiiv.json
 authsome list   # source now shows "custom" for beehiiv
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/brevo.mdx

@@ -97,7 +97,6 @@ authsome inspect brevo > ~/.authsome/providers/brevo.json
 authsome list   # source now shows "custom" for brevo
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/buffer.mdx

@@ -98,7 +98,6 @@ authsome inspect buffer > ~/.authsome/providers/buffer.json
 authsome list   # source now shows "custom" for buffer
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/calendly.mdx

@@ -97,7 +97,6 @@ authsome inspect calendly > ~/.authsome/providers/calendly.json
 authsome list   # source now shows "custom" for calendly
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/clearbit.mdx

@@ -99,7 +99,6 @@ authsome inspect clearbit > ~/.authsome/providers/clearbit.json
 authsome list   # source now shows "custom" for clearbit
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/dub.mdx

@@ -97,7 +97,6 @@ authsome inspect dub > ~/.authsome/providers/dub.json
 authsome list   # source now shows "custom" for dub
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/g2.mdx

@@ -99,7 +99,6 @@ authsome inspect g2 > ~/.authsome/providers/g2.json
 authsome list   # source now shows "custom" for g2
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/hunter.mdx

@@ -97,7 +97,6 @@ authsome inspect hunter > ~/.authsome/providers/hunter.json
 authsome list   # source now shows "custom" for hunter
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/index.mdx

@@ -109,7 +109,6 @@ For a service authsome doesn't bundle (Anthropic, Stripe, Twilio, and many other
 2. Write a JSON definition. See [Custom providers](/guides/custom-providers) for the template.
 3. `authsome register ./<name>.json`.
 
-The schema is in [Provider schema](/reference/provider-schema).
 
 ## What's next
 

docs/site/integrations/api-key/instantly.mdx

@@ -97,7 +97,6 @@ authsome inspect instantly > ~/.authsome/providers/instantly.json
 authsome list   # source now shows "custom" for instantly
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/intercom.mdx

@@ -100,7 +100,6 @@ authsome inspect intercom > ~/.authsome/providers/intercom.json
 authsome list   # source now shows "custom" for intercom
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/keywords-everywhere.mdx

@@ -97,7 +97,6 @@ authsome inspect keywords-everywhere > ~/.authsome/providers/keywords-everywhere
 authsome list   # source now shows "custom" for keywords-everywhere
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/klaviyo.mdx

@@ -97,7 +97,6 @@ authsome inspect klaviyo > ~/.authsome/providers/klaviyo.json
 authsome list   # source now shows "custom" for klaviyo
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next
 

docs/site/integrations/api-key/lemlist.mdx

@@ -97,7 +97,6 @@ authsome inspect lemlist > ~/.authsome/providers/lemlist.json
 authsome list   # source now shows "custom" for lemlist
 ```
 
-See [Provider schema](/reference/provider-schema) for every field.
 
 ## What's next