import { useEffect, useMemo, useState, type FormEvent } from 'react' import './App.css' import { addMembership, approveNode, createControlPlane, createNetwork, createToken, createUser, deleteControlPlane, deleteMembership, deleteNetwork, getAcl, getKeyPolicy, getMe, getUser, listAdminAudit, listControlPlaneAudit, listControlPlanes, listNetworks, listNodes, listProviders, listRoles, listUsers, login, logout, nodeKeys, revokeNode, revokeToken, rotateNodeKeys, setUserPassword, updateAcl, updateControlPlane, updateKeyPolicy, updateUser, verifyControlPlane, type AdminAuditEntry, type AdminNodesResponse, type AuditLogResponse, type ControlPlaneSummary, type CreateTokenResponse, type EnrollmentToken, type KeyHistoryResponse, type KeyPolicyResponse, type NetworkSummary, type NodeInfo, type AuthSession, type AuthUserSummary, type ProviderSummary, type RoleSummary, type UserDetail, type UserSummary, } from './api' type SectionId = | 'overview' | 'control-planes' | 'networks' | 'nodes' | 'tokens' | 'acl' | 'key-policy' | 'users' | 'audit' type BannerTone = 'info' | 'warning' | 'error' | 'success' type BannerMessage = { tone: BannerTone text: string } const sections: { id: SectionId; label: string; hint: string }[] = [ { id: 'overview', label: 'Overview', hint: 'Pulse & posture' }, { id: 'control-planes', label: 'Control Planes', hint: 'Origins & routes' }, { id: 'networks', label: 'Networks', hint: 'Provision & catalog' }, { id: 'nodes', label: 'Nodes', hint: 'Approve & rotate' }, { id: 'tokens', label: 'Tokens', hint: 'Invite securely' }, { id: 'acl', label: 'ACL', hint: 'Policy canvas' }, { id: 'key-policy', label: 'Key Policy', hint: 'Rotation cadence' }, { id: 'users', label: 'Users', hint: 'Access graph' }, { id: 'audit', label: 'Audit', hint: 'Trace every move' }, ] const DEFAULT_SCOPE = { scope_type: 'global', scope_id: 'global' } function App() { const [authReady, setAuthReady] = useState(false) const [session, setSession] = useState(null) useEffect(() => { getMe() .then((me) => setSession(me)) .catch(() => setSession(null)) .finally(() => setAuthReady(true)) }, []) if (!authReady) { return (
Loading console...
) } if (!session) { return } if (!session.console_access) { return (

Console access is not granted

This account is authenticated, but it does not have the console:access permission.

) } return ( setSession(null)} onSessionUpdated={setSession} /> ) } function LoginScreen({ onAuthed }: { onAuthed: (session: AuthSession) => void }) { const [email, setEmail] = useState('') const [password, setPassword] = useState('') const [providers, setProviders] = useState([]) const [error, setError] = useState(null) const [loading, setLoading] = useState(false) useEffect(() => { listProviders() .then(setProviders) .catch(() => setProviders([])) }, []) const handleSubmit = async (event: FormEvent) => { event.preventDefault() setLoading(true) setError(null) try { const response = await login(email, password) onAuthed(response) } catch (err) { setError((err as Error).message) } finally { setLoading(false) } } return (
LS

Lightscale Admin

Orchestrate control planes with intent.

{error &&
{error}
}
{providers.length > 0 && (

Single sign-on

{providers.map((provider) => ( {provider.name} ))}
)}

Zero single points of failure.

Build a multi-region control plane ledger backed by CockroachDB and manage it in one place.

Layered auth

Local accounts, OIDC, and scoped roles with audit trails.

Operational focus

Approve nodes, rotate keys, and author network policy rapidly.

Designed to scale

Aggregate multiple control planes without a monolith.

) } function AdminShell({ user, permissions, onLogout, onSessionUpdated, }: { user: AuthUserSummary permissions: string[] onLogout: () => void onSessionUpdated: (session: AuthSession) => void }) { const [active, setActive] = useState('overview') const [banner, setBanner] = useState(null) const [controlPlanes, setControlPlanes] = useState([]) const [networks, setNetworks] = useState([]) const [roles, setRoles] = useState([]) const [users, setUsers] = useState([]) const [selectedControlPlaneId, setSelectedControlPlaneId] = useState('') const [selectedNetworkId, setSelectedNetworkId] = useState('') const [selectedUser, setSelectedUser] = useState(null) const [nodesResponse, setNodesResponse] = useState(null) const [keyHistory, setKeyHistory] = useState(null) const [aclText, setAclText] = useState('') const [keyPolicy, setKeyPolicy] = useState(null) const [tokenResult, setTokenResult] = useState(null) const [revokedToken, setRevokedToken] = useState(null) const [bootstrapToken, setBootstrapToken] = useState(null) const [adminAudit, setAdminAudit] = useState([]) const [controlPlaneAudit, setControlPlaneAudit] = useState(null) const selectedNetwork = useMemo( () => networks.find((network) => network.id === selectedNetworkId) || null, [networks, selectedNetworkId], ) const selectedNodeCount = nodesResponse?.nodes.length ?? 0 const permissionSet = useMemo(() => new Set(permissions), [permissions]) const hasPermission = (permission: string) => user.super_admin || permissionSet.has(permission) const canControlPlanesRead = hasPermission('control_planes:read') const canControlPlanesWrite = hasPermission('control_planes:write') const canNetworksRead = hasPermission('networks:read') const canNetworksWrite = hasPermission('networks:write') const canNodesRead = hasPermission('nodes:read') const canNodesWrite = hasPermission('nodes:write') const canTokensWrite = hasPermission('tokens:write') const canAclRead = hasPermission('acl:read') const canAclWrite = hasPermission('acl:write') const canKeyPolicyRead = hasPermission('key_policy:read') const canKeyPolicyWrite = hasPermission('key_policy:write') const canUsersRead = hasPermission('users:read') const canUsersWrite = hasPermission('users:write') const canRolesRead = hasPermission('roles:read') const canAuditRead = hasPermission('audit:read') const visibleSections = useMemo( () => sections.filter((section) => { switch (section.id) { case 'overview': return true case 'control-planes': return canControlPlanesRead case 'networks': return canNetworksRead case 'nodes': return canNodesRead case 'tokens': return canTokensWrite case 'acl': return canAclRead case 'key-policy': return canKeyPolicyRead case 'users': return canUsersRead case 'audit': return canAuditRead } }), [ canAclRead, canAuditRead, canControlPlanesRead, canKeyPolicyRead, canNetworksRead, canNodesRead, canTokensWrite, canUsersRead, ], ) useEffect(() => { if (canControlPlanesRead) { refreshControlPlanes() } if (canNetworksRead) { refreshNetworks() } if (canRolesRead) { refreshRoles() } if (canUsersRead) { refreshUsers() } }, [canControlPlanesRead, canNetworksRead, canRolesRead, canUsersRead]) useEffect(() => { if (visibleSections.some((section) => section.id === active)) { return } if (visibleSections.length > 0) { setActive(visibleSections[0].id) } }, [active, visibleSections]) useEffect(() => { if (controlPlanes.length && !selectedControlPlaneId) { setSelectedControlPlaneId(controlPlanes[0].id) } }, [controlPlanes, selectedControlPlaneId]) useEffect(() => { if (networks.length && !selectedNetworkId) { setSelectedNetworkId(networks[0].id) } }, [networks, selectedNetworkId]) useEffect(() => { if (!selectedNetworkId) return if (canNodesRead) { listNodes(selectedNetworkId) .then(setNodesResponse) .catch((err) => handleError(err, 'error')) } else { setNodesResponse(null) } if (canAclRead) { getAcl(selectedNetworkId) .then((policy) => setAclText(JSON.stringify(policy, null, 2))) .catch(() => setAclText('')) } else { setAclText('') } if (canKeyPolicyRead) { getKeyPolicy(selectedNetworkId) .then(setKeyPolicy) .catch(() => setKeyPolicy(null)) } else { setKeyPolicy(null) } }, [selectedNetworkId, canAclRead, canKeyPolicyRead, canNodesRead]) useEffect(() => { if (active !== 'audit' || !canAuditRead) return listAdminAudit({ limit: 200 }) .then(setAdminAudit) .catch((err) => handleError(err, 'error')) }, [active, canAuditRead]) const refreshControlPlanes = async () => { try { const data = await listControlPlanes() setControlPlanes(data) } catch (err) { handleError(err, 'error') } } const refreshNetworks = async () => { try { const data = await listNetworks() setNetworks(data) } catch (err) { handleError(err, 'error') } } const refreshRoles = async () => { try { const data = await listRoles() setRoles(data) } catch (err) { handleError(err, 'error') } } const refreshUsers = async () => { try { const data = await listUsers() setUsers(data) } catch (err) { handleError(err, 'error') } } const handleError = (err: unknown, tone: BannerTone) => { setBanner({ tone, text: (err as Error).message }) setTimeout(() => setBanner(null), 4000) } const handleLogout = async () => { try { await logout() } finally { onLogout() } } const handleSelectUser = async (userId: string) => { try { const detail = await getUser(userId) setSelectedUser(detail) } catch (err) { handleError(err, 'error') } } const handleUpdateCurrentUser = async () => { try { const refreshed = await getMe() if (!refreshed.console_access) { onLogout() return } onSessionUpdated(refreshed) } catch (err) { handleError(err, 'warning') } } const handleNodeAction = async (action: () => Promise) => { try { await action() if (selectedNetworkId) { const updated = await listNodes(selectedNetworkId) setNodesResponse(updated) } } catch (err) { handleError(err, 'error') } } const handleAclSave = async () => { if (!selectedNetworkId) return try { const parsed = JSON.parse(aclText) await updateAcl(selectedNetworkId, parsed) handleError(new Error('ACL updated.'), 'success') } catch (err) { handleError(err, 'error') } } const handleKeyPolicySave = async (maxAge: number | null) => { if (!selectedNetworkId) return try { const updated = await updateKeyPolicy(selectedNetworkId, { max_age_seconds: maxAge || null, }) setKeyPolicy(updated) handleError(new Error('Key policy updated.'), 'success') } catch (err) { handleError(err, 'error') } } return (

{visibleSections.find((section) => section.id === active)?.label || 'Overview'}

{selectedNetwork ? `${selectedNetwork.name} · ${selectedNetwork.control_plane_name}` : 'Select a network to unlock node actions.'}

{banner &&
{banner.text}
}
{active === 'overview' && (

Control plane mesh

{controlPlanes.length} control planes online.

Networks {networks.length}
Nodes (selected) {selectedNodeCount}

Active signals

Audit log for admin actions and control plane events.

{canAuditRead ? ( ) : (

No audit permission.

)}

Role coverage

{roles.length} roles configured. {users.length} users in directory.

{canUsersRead ? ( ) : (

No user-directory permission.

)}

Network posture

Keep ACLs tight and key rotation moving.

{canAclRead ? ( ) : (

No ACL permission.

)}
)} {active === 'control-planes' && canControlPlanesRead && ( { const created = await createControlPlane(payload) setControlPlanes((prev) => [...prev, created]) }} onUpdate={async (id, payload) => { const updated = await updateControlPlane(id, payload) setControlPlanes((prev) => prev.map((plane) => (plane.id === updated.id ? updated : plane)), ) }} onVerify={async (id) => verifyControlPlane(id)} onDelete={async (id) => { await deleteControlPlane(id) setControlPlanes((prev) => prev.filter((plane) => plane.id !== id)) }} onBanner={setBanner} /> )} {active === 'networks' && canNetworksRead && ( { const result = await createNetwork(payload) setNetworks((prev) => [...prev, result.network]) setBootstrapToken(result.bootstrap_token || null) setSelectedNetworkId(result.network.id) }} onDelete={async (id) => { await deleteNetwork(id) setNetworks((prev) => prev.filter((network) => network.id !== id)) }} onSelect={(id) => setSelectedNetworkId(id)} selectedNetworkId={selectedNetworkId} bootstrapToken={bootstrapToken} /> )} {active === 'nodes' && canNodesRead && ( handleNodeAction(() => approveNode(selectedNetworkId, nodeId)) } onRevoke={(nodeId) => handleNodeAction(() => revokeNode(selectedNetworkId, nodeId)) } onRotate={(nodeId) => handleNodeAction(() => rotateNodeKeys(selectedNetworkId, nodeId, {})) } onViewKeys={async (nodeId) => { if (!selectedNetworkId) return try { const history = await nodeKeys(selectedNetworkId, nodeId) setKeyHistory(history) } catch (err) { handleError(err, 'error') } }} /> )} {active === 'tokens' && canTokensWrite && ( { if (!selectedNetworkId) return const response = await createToken(selectedNetworkId, payload) setTokenResult(response) setRevokedToken(null) }} onRevoke={async (tokenId) => { if (!selectedNetworkId) return const response = await revokeToken(selectedNetworkId, tokenId) setRevokedToken(response) }} /> )} {active === 'acl' && canAclRead && ( )} {active === 'key-policy' && canKeyPolicyRead && ( )} {active === 'users' && canUsersRead && ( { const created = await createUser(payload) setUsers((prev) => [created.user, ...prev]) setSelectedUser(created) }} onUpdate={async (userId, payload) => { const updated = await updateUser(userId, payload) setUsers((prev) => prev.map((record) => (record.id === updated.id ? updated : record)), ) if (selectedUser && selectedUser.user.id === updated.id) { setSelectedUser({ ...selectedUser, user: updated, }) } }} onSetPassword={async (userId, password) => { await setUserPassword(userId, password) }} onAddMembership={async (userId, payload) => { const membership = await addMembership(userId, payload) if (selectedUser && selectedUser.user.id === userId) { setSelectedUser({ ...selectedUser, memberships: [membership, ...selectedUser.memberships], }) } }} onDeleteMembership={async (userId, membershipId) => { await deleteMembership(userId, membershipId) if (selectedUser && selectedUser.user.id === userId) { setSelectedUser({ ...selectedUser, memberships: selectedUser.memberships.filter( (membership) => membership.id !== membershipId, ), }) } }} /> )} {active === 'audit' && canAuditRead && ( { const entries = await listAdminAudit({ limit: 200 }) setAdminAudit(entries) }} onFetchControlPlane={async (id, params) => { const response = await listControlPlaneAudit(id, params) setControlPlaneAudit(response) }} /> )}
) } function ControlPlaneSection({ controlPlanes, canWrite, onCreate, onUpdate, onVerify, onDelete, onBanner, }: { controlPlanes: ControlPlaneSummary[] canWrite: boolean onCreate: (payload: { name: string base_url: string admin_token?: string region?: string }) => Promise onUpdate: ( id: string, payload: { name?: string base_url?: string admin_token?: string clear_admin_token?: boolean region?: string }, ) => Promise onVerify: (id: string) => Promise<{ ok: boolean; status?: number; body?: string }> onDelete: (id: string) => Promise onBanner: (message: BannerMessage) => void }) { const [form, setForm] = useState({ id: '', name: '', base_url: '', admin_token: '', region: '', clear_admin_token: false, }) const [loading, setLoading] = useState(false) const resetForm = () => { setForm({ id: '', name: '', base_url: '', admin_token: '', region: '', clear_admin_token: false, }) } const handleSubmit = async (event: FormEvent) => { event.preventDefault() if (!canWrite) return setLoading(true) try { if (form.id) { await onUpdate(form.id, { name: form.name, base_url: form.base_url, admin_token: form.admin_token || undefined, clear_admin_token: form.clear_admin_token, region: form.region || undefined, }) onBanner({ tone: 'success', text: 'Control plane updated.' }) } else { await onCreate({ name: form.name, base_url: form.base_url, admin_token: form.admin_token || undefined, region: form.region || undefined, }) onBanner({ tone: 'success', text: 'Control plane created.' }) } resetForm() } catch (err) { onBanner({ tone: 'error', text: (err as Error).message }) } finally { setLoading(false) } } return (

Create or update control plane

{form.id && ( )}
{form.id && ( )}

Registered control planes

{controlPlanes.map((plane) => (
{plane.name}

{plane.base_url}

{plane.region || 'unassigned'} {plane.has_admin_token ? ( token stored ) : ( no token )}
{canWrite && ( <> )}
))} {controlPlanes.length === 0 && (

No control planes yet.

)}
) } function NetworksSection({ controlPlanes, networks, canWrite, onCreate, onDelete, onSelect, selectedNetworkId, bootstrapToken, }: { controlPlanes: ControlPlaneSummary[] networks: NetworkSummary[] canWrite: boolean onCreate: (payload: { control_plane_id: string name: string overlay_v4?: string overlay_v6?: string dns_domain?: string requires_approval?: boolean key_rotation_max_age_seconds?: number bootstrap_token_ttl_seconds?: number bootstrap_token_uses?: number bootstrap_token_tags?: string[] }) => Promise onDelete: (id: string) => Promise onSelect: (id: string) => void selectedNetworkId: string bootstrapToken: EnrollmentToken | null }) { const [form, setForm] = useState({ control_plane_id: '', name: '', overlay_v4: '', overlay_v6: '', dns_domain: '', requires_approval: false, key_rotation_max_age_seconds: '', bootstrap_token_ttl_seconds: '', bootstrap_token_uses: '1', bootstrap_token_tags: '', }) const handleSubmit = async (event: FormEvent) => { event.preventDefault() if (!canWrite) return if (!form.control_plane_id) return await onCreate({ control_plane_id: form.control_plane_id, name: form.name, overlay_v4: form.overlay_v4 || undefined, overlay_v6: form.overlay_v6 || undefined, dns_domain: form.dns_domain || undefined, requires_approval: form.requires_approval, key_rotation_max_age_seconds: form.key_rotation_max_age_seconds ? Number(form.key_rotation_max_age_seconds) : undefined, bootstrap_token_ttl_seconds: form.bootstrap_token_ttl_seconds ? Number(form.bootstrap_token_ttl_seconds) : undefined, bootstrap_token_uses: form.bootstrap_token_uses ? Number(form.bootstrap_token_uses) : undefined, bootstrap_token_tags: form.bootstrap_token_tags ? form.bootstrap_token_tags.split(',').map((tag) => tag.trim()) : undefined, }) setForm({ control_plane_id: form.control_plane_id, name: '', overlay_v4: '', overlay_v6: '', dns_domain: '', requires_approval: false, key_rotation_max_age_seconds: '', bootstrap_token_ttl_seconds: '', bootstrap_token_uses: '1', bootstrap_token_tags: '', }) } return (

Provision a network

{bootstrapToken && (

Bootstrap token

{bootstrapToken.token}
Uses left: {bootstrapToken.uses_left} Expires: {formatEpoch(bootstrapToken.expires_at)}
)}

Known networks

{networks.map((network, index) => (
onSelect(network.id)} > {network.name}

{network.network_id}

{network.control_plane_name} {network.requires_approval && ( approval required )}
{network.overlay_v4 || '-'}
{canWrite && ( )}
))} {networks.length === 0 &&

No networks yet.

}
) } function NodesSection({ network, nodes, keyHistory, canWrite, onApprove, onRevoke, onRotate, onViewKeys, }: { network: NetworkSummary | null nodes: NodeInfo[] keyHistory: KeyHistoryResponse | null canWrite: boolean onApprove: (nodeId: string) => void onRevoke: (nodeId: string) => void onRotate: (nodeId: string) => void onViewKeys: (nodeId: string) => void }) { if (!network) { return
Select a network to view nodes.
} return (

Nodes in {network.name}

{nodes.map((node) => (
{node.name}

{node.dns_name}

{node.approved ? ( approved ) : ( pending )} {node.owner_is_admin && admin-issued} {node.revoked && revoked} {node.key_rotation_required && ( rotate keys )}
{node.owner_email && Owner: {node.owner_email}} Last seen: {formatEpoch(node.last_seen)}
{canWrite && !node.approved && !node.revoked && ( )} {canWrite && !node.revoked && ( )} {canWrite && ( )}
))} {nodes.length === 0 &&

No nodes yet.

}

Key history

{keyHistory ? (
{keyHistory.keys.map((key) => (
{key.key_type}

{key.public_key}

{formatEpoch(key.created_at)} {key.revoked_at && ( revoked {formatEpoch(key.revoked_at)} )}
))}
) : (

Select a node to view key history.

)}
) } function TokensSection({ network, tokenResult, revokedToken, onCreate, onRevoke, }: { network: NetworkSummary | null tokenResult: CreateTokenResponse | null revokedToken: EnrollmentToken | null onCreate: (payload: { ttl_seconds: number; uses: number; tags: string[] }) => void onRevoke: (tokenId: string) => void }) { const [form, setForm] = useState({ ttl_seconds: '3600', uses: '1', tags: '' }) const [revokeId, setRevokeId] = useState('') if (!network) { return
Select a network to manage tokens.
} return (

Create enrollment token

{ event.preventDefault() onCreate({ ttl_seconds: Number(form.ttl_seconds), uses: Number(form.uses), tags: form.tags ? form.tags.split(',').map((tag) => tag.trim()) : [], }) }} className="stack" >
{tokenResult && (

Generated token

{tokenResult.token.token}
Uses left: {tokenResult.token.uses_left} Expires: {formatEpoch(tokenResult.token.expires_at)}
{(tokenResult.token.owner_email || tokenResult.token.owner_is_admin) && (
{tokenResult.token.owner_email && ( Owner: {tokenResult.token.owner_email} )} {tokenResult.token.owner_is_admin && Privilege: admin}
)}
)}

Revoke token

{ event.preventDefault() onRevoke(revokeId) }} className="stack" >
{revokedToken && (

Revoked token

{revokedToken.token} revoked
)}
) } function AclSection({ network, aclText, canWrite, onChange, onSave, }: { network: NetworkSummary | null aclText: string canWrite: boolean onChange: (value: string) => void onSave: () => void }) { if (!network) { return
Select a network to edit ACL.
} return (

ACL policy for {network.name}