Overview
As-of: 2026-05-09. Source of truth:
passkey-shellrepo,rg-passkey-stgAzure resource group.
What This Is
Passkey Portal is a governance-first credential issuance system that mediates time-bounded access to shared credentials stored in Keeper Security’s vault. It wraps Keeper’s native sharing mechanism in an approval workflow, lease lifecycle, and audit trail — enforcing who can request credentials, who can approve, how long access lasts, and what happens when it expires.
The system runs as a Node/TypeScript backend (Express + Prisma + Postgres) with a React frontend (Fluent UI 9 + Tailwind) designed to embed in Microsoft Teams via Bot Framework Adaptive Cards. Identity is Entra ID (Azure AD). Vault reads use the KSM SDK; vault writes (one-time share creation) use Commander CLI subprocess. All secrets are Azure Key Vault references — no raw credentials in the application.
Current State (v1)
Staging is deployed and healthy. Production App Service exists but is not yet serving traffic.
| Dimension | Status |
|---|---|
| Staging App Service | app-passkey-stg-ben-6b2f — deployed, /healthz 200 |
| Prod App Service | app-passkey-prod-1353 — provisioned, not deployed |
| Vault mode | staging (KSM reads real vault, Commander shares stubbed) |
| Governance gate | HARDEN_GOVERNANCE_v1=false (soak mode) |
| Bot Framework | Not registered — Teams notification flow is skeleton only |
| Background jobs | Enabled on staging (RUN_BACKGROUND_JOBS=true) |
| Backend test suite | 33 test files, Node built-in runner, passing |
| Frontend test runner | Not wired — vitest not in scripts, 2 test files exist |
| Keeper trial | Active, trial period (12-day window from provisioning) |
| KSM Application | Created, IP lock checked at creation (needs unchecking) |
Four Questions This Site Answers
-
Architecture — Component topology, data flow, integration points, data model. How the system works technically, per phase.
-
Evolution — v1 (current pilot) to v3 (planned hardening + scale) to v4 (SMS Android MFA). Where the product is going and what’s underspecified.
-
Cost — Build cost to date, Azure/Keeper run rate at current scale, projected cost at 100/1,000/10,000 users. Real SKU pricing, not estimates.
-
Roadmap & Next Steps — What’s needed from leadership: headcount, vendor decisions, security review time, production deployment approval.
Navigation
| Page | What It Covers |
|---|---|
| Architecture | Components, data flow, integrations, deployment topology, data model |
| Decision Log | Major architectural decisions with context and rationale |
| Implementation Status | Honest component-by-component snapshot: done / stubbed / not started |
| Security Architecture | Auth flows, secret handling, audit trail, threat surface, compliance posture |
| Cost Model | Build cost, ongoing Azure/Keeper run rate, projected cost at scale |
| Roadmap | v1 now / v3 next / v4 later / out of scope |
| Risk Register | Technical and operational risks with mitigation status |
| Asks | What the product needs from leadership |
| Glossary | Reference definitions for Keeper, KSM, Entra, Adaptive Cards, etc. |