feat(admin): add admin dashboard app

Author: richiemcilroy

apps/admin/next.config.ts

@@ -0,0 +1,11 @@
+import { config } from 'dotenv'
+import type { NextConfig } from 'next'
+
+config({ path: '../../.env' })
+
+const nextConfig: NextConfig = {
+  reactStrictMode: true,
+  transpilePackages: ['@sandchest/contract', '@sandchest/db'],
+}
+
+export default nextConfig

apps/admin/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@sandchest/admin",
+  "version": "0.0.1",
+  "private": true,
+  "type": "module",
+  "scripts": {
+    "dev": "next dev --turbopack -p 3003",
+    "build": "next build",
+    "start": "next start",
+    "typecheck": "tsc --noEmit",
+    "lint": "next lint"
+  },
+  "dependencies": {
+    "@sandchest/contract": "workspace:*",
+    "@sandchest/db": "workspace:*",
+    "@tanstack/react-query": "^5.90.21",
+    "cpu-features": "^0.0.10",
+    "dotenv": "^17.3.1",
+    "drizzle-orm": "^0.39.0",
+    "jose": "^6.0.11",
+    "mysql2": "^3.11.0",
+    "next": "^15.3.3",
+    "react": "^19.2.4",
+    "react-dom": "^19.2.4",
+    "server-only": "^0.0.1",
+    "ssh2": "^1.16.0"
+  },
+  "devDependencies": {
+    "@tailwindcss/postcss": "^4.0.0",
+    "@types/bun": "^1.3.9",
+    "@types/node": "^25.3.0",
+    "@types/react": "^19.2.14",
+    "@types/react-dom": "^19.2.3",
+    "@types/ssh2": "^1.15.5",
+    "tailwindcss": "^4.0.0",
+    "typescript": "^5.7.0"
+  }
+}

apps/admin/postcss.config.mjs

@@ -0,0 +1,7 @@
+const config = {
+  plugins: {
+    '@tailwindcss/postcss': {},
+  },
+}
+
+export default config

apps/admin/public/fonts/GeistMono-Variable.woff2

@@ -0,0 +1,8 @@
+import { NextResponse } from 'next/server'
+import { SESSION_COOKIE } from '@/lib/auth'
+
+export async function POST() {
+  const response = NextResponse.json({ ok: true })
+  response.cookies.delete(SESSION_COOKIE)
+  return response
+}

apps/admin/src/app/api/auth/logout/route.ts

@@ -0,0 +1,24 @@
+import { NextResponse } from 'next/server'
+import { validatePassword, createSessionToken, SESSION_COOKIE } from '@/lib/auth'
+
+export async function POST(request: Request) {
+  const body = await request.json() as { password?: string }
+  const password = body.password
+
+  if (typeof password !== 'string' || !validatePassword(password)) {
+    return NextResponse.json({ error: 'Invalid password' }, { status: 401 })
+  }
+
+  const token = await createSessionToken()
+  const response = NextResponse.json({ ok: true })
+
+  response.cookies.set(SESSION_COOKIE, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 60 * 60 * 24, // 24 hours
+  })
+
+  return response
+}

apps/admin/src/app/api/auth/route.ts

@@ -0,0 +1,78 @@
+import { NextResponse } from 'next/server'
+import { eq } from 'drizzle-orm'
+import { getDb } from '@/lib/db'
+import { adminServers } from '@sandchest/db/schema'
+import { decrypt } from '@/lib/encryption'
+import { createSshConnection, execCommand } from '@/lib/ssh'
+
+export async function POST(
+  request: Request,
+  { params }: { params: Promise<{ serverId: string }> },
+) {
+  const { serverId } = await params
+  const body = await request.json() as { command?: string }
+
+  if (!body.command || typeof body.command !== 'string') {
+    return NextResponse.json({ error: 'command is required' }, { status: 400 })
+  }
+
+  const db = getDb()
+  const [server] = await db
+    .select()
+    .from(adminServers)
+    .where(eq(adminServers.id, Buffer.from(serverId, 'hex') as unknown as Uint8Array))
+    .limit(1)
+
+  if (!server) {
+    return NextResponse.json({ error: 'Server not found' }, { status: 404 })
+  }
+
+  let sshKey: string
+  try {
+    sshKey = decrypt(server.sshKeyEncrypted, server.sshKeyIv, server.sshKeyTag)
+  } catch {
+    return NextResponse.json({ error: 'Failed to decrypt SSH key' }, { status: 500 })
+  }
+
+  const start = Date.now()
+
+  let conn
+  try {
+    conn = await createSshConnection({
+      host: server.ip,
+      port: server.sshPort,
+      username: server.sshUser,
+      privateKey: sshKey,
+    })
+  } catch (err) {
+    return NextResponse.json(
+      {
+        stdout: '',
+        stderr: `SSH connection failed: ${err instanceof Error ? err.message : String(err)}`,
+        exit_code: -1,
+        duration_ms: Date.now() - start,
+      },
+      { status: 200 },
+    )
+  }
+
+  try {
+    const result = await execCommand(conn, body.command)
+    conn.end()
+
+    return NextResponse.json({
+      stdout: result.stdout,
+      stderr: result.stderr,
+      exit_code: result.code,
+      duration_ms: Date.now() - start,
+    })
+  } catch (err) {
+    conn.end()
+    return NextResponse.json({
+      stdout: '',
+      stderr: `Command execution error: ${err instanceof Error ? err.message : String(err)}`,
+      exit_code: -1,
+      duration_ms: Date.now() - start,
+    })
+  }
+}

apps/admin/src/app/api/command/[serverId]/route.ts

@@ -0,0 +1,193 @@
+import { NextResponse } from 'next/server'
+import { eq } from 'drizzle-orm'
+import { getDb } from '@/lib/db'
+import { adminServers } from '@sandchest/db/schema'
+import { decrypt } from '@/lib/encryption'
+import { createSshConnection, execCommand } from '@/lib/ssh'
+import { PROVISION_STEPS, type StepResult } from '@/lib/provisioner'
+
+export async function POST(
+  _request: Request,
+  { params }: { params: Promise<{ serverId: string }> },
+) {
+  const { serverId } = await params
+  const db = getDb()
+  const serverIdBuf = Buffer.from(serverId, 'hex') as unknown as Uint8Array
+
+  const [server] = await db
+    .select()
+    .from(adminServers)
+    .where(eq(adminServers.id, serverIdBuf))
+    .limit(1)
+
+  if (!server) {
+    return NextResponse.json({ error: 'Server not found' }, { status: 404 })
+  }
+
+  if (server.provisionStatus !== 'failed') {
+    return NextResponse.json({ error: 'Can only retry from failed state' }, { status: 409 })
+  }
+
+  // Find the failed step index (PlanetScale may return JSON columns as strings)
+  const raw = server.provisionSteps
+  const steps: StepResult[] = Array.isArray(raw)
+    ? raw as StepResult[]
+    : typeof raw === 'string'
+      ? JSON.parse(raw) as StepResult[]
+      : []
+  const failedIndex = steps.findIndex((s) => s.status === 'failed')
+  if (failedIndex === -1) {
+    return NextResponse.json({ error: 'No failed step found' }, { status: 400 })
+  }
+
+  // Decrypt SSH key
+  let sshKey: string
+  try {
+    sshKey = decrypt(server.sshKeyEncrypted, server.sshKeyIv, server.sshKeyTag)
+  } catch {
+    return NextResponse.json({ error: 'Failed to decrypt SSH key' }, { status: 500 })
+  }
+
+  // Reset failed and subsequent steps to pending
+  for (let i = failedIndex; i < steps.length; i++) {
+    steps[i] = { id: steps[i]!.id, status: 'pending' }
+  }
+
+  await db
+    .update(adminServers)
+    .set({
+      provisionStatus: 'provisioning',
+      provisionStep: PROVISION_STEPS[failedIndex]!.id,
+      provisionSteps: steps,
+      provisionError: null,
+      updatedAt: new Date(),
+    })
+    .where(eq(adminServers.id, serverIdBuf))
+
+  // Run remaining steps in background
+  retryProvisioning(serverId, server.ip, server.sshPort, server.sshUser, sshKey, steps, failedIndex).catch(
+    () => {},
+  )
+
+  return NextResponse.json({ status: 'provisioning', retry_from: PROVISION_STEPS[failedIndex]!.id })
+}
+
+async function retryProvisioning(
+  serverId: string,
+  ip: string,
+  port: number,
+  username: string,
+  privateKey: string,
+  stepResults: StepResult[],
+  startIndex: number,
+) {
+  const db = getDb()
+  const serverIdBuf = Buffer.from(serverId, 'hex') as unknown as Uint8Array
+
+  let conn
+  try {
+    conn = await createSshConnection({ host: ip, port, username, privateKey })
+  } catch (err) {
+    await db
+      .update(adminServers)
+      .set({
+        provisionStatus: 'failed',
+        provisionError: `SSH connection failed: ${err instanceof Error ? err.message : String(err)}`,
+        updatedAt: new Date(),
+      })
+      .where(eq(adminServers.id, serverIdBuf))
+    return
+  }
+
+  for (let i = startIndex; i < PROVISION_STEPS.length; i++) {
+    const step = PROVISION_STEPS[i]!
+
+    stepResults[i] = { id: step.id, status: 'running' }
+    await db
+      .update(adminServers)
+      .set({
+        provisionStep: step.id,
+        provisionSteps: [...stepResults],
+        updatedAt: new Date(),
+      })
+      .where(eq(adminServers.id, serverIdBuf))
+
+    const fullCommand = step.commands.join(' && ')
+
+    try {
+      const result = await execCommand(conn, fullCommand)
+      const output = result.stdout + (result.stderr ? `\n${result.stderr}` : '')
+
+      if (result.code !== 0) {
+        stepResults[i] = { id: step.id, status: 'failed', output: output.trim() }
+        await db
+          .update(adminServers)
+          .set({
+            provisionStatus: 'failed',
+            provisionStep: step.id,
+            provisionSteps: [...stepResults],
+            provisionError: `Step "${step.name}" failed with exit code ${result.code}`,
+            updatedAt: new Date(),
+          })
+          .where(eq(adminServers.id, serverIdBuf))
+        conn.end()
+        return
+      }
+
+      let fullOutput = output
+      if (step.validate) {
+        const valResult = await execCommand(conn, step.validate)
+        if (valResult.code !== 0) {
+          stepResults[i] = { id: step.id, status: 'failed', output: `Validation failed: ${valResult.stderr || valResult.stdout}`.trim() }
+          await db
+            .update(adminServers)
+            .set({
+              provisionStatus: 'failed',
+              provisionStep: step.id,
+              provisionSteps: [...stepResults],
+              provisionError: `Validation for "${step.name}" failed`,
+              updatedAt: new Date(),
+            })
+            .where(eq(adminServers.id, serverIdBuf))
+          conn.end()
+          return
+        }
+        fullOutput += `\nValidation: ${valResult.stdout.trim()}`
+      }
+
+      stepResults[i] = { id: step.id, status: 'completed', output: fullOutput.trim() }
+    } catch (err) {
+      stepResults[i] = { id: step.id, status: 'failed', output: `Error: ${err instanceof Error ? err.message : String(err)}` }
+      await db
+        .update(adminServers)
+        .set({
+          provisionStatus: 'failed',
+          provisionStep: step.id,
+          provisionSteps: [...stepResults],
+          provisionError: `Step "${step.name}" threw: ${err instanceof Error ? err.message : String(err)}`,
+          updatedAt: new Date(),
+        })
+        .where(eq(adminServers.id, serverIdBuf))
+      conn.end()
+      return
+    }
+
+    await db
+      .update(adminServers)
+      .set({
+        provisionSteps: [...stepResults],
+        updatedAt: new Date(),
+      })
+      .where(eq(adminServers.id, serverIdBuf))
+  }
+
+  conn.end()
+  await db
+    .update(adminServers)
+    .set({
+      provisionStatus: 'completed',
+      provisionSteps: [...stepResults],
+      updatedAt: new Date(),
+    })
+    .where(eq(adminServers.id, serverIdBuf))
+}