Serve Next.js SOC dashboard at /ui with FastAPI redirect from /.

.dockerignore

@@ -11,7 +11,6 @@ chroma_data
 .env
 frontend/node_modules
 frontend/.next
+frontend/out
 *.log
-import_profile*.txt
-import_p3.txt
 .tmp_import.log

.gitignore

@@ -1,5 +1,4 @@
 .venv/
-.venv_py314/
 __pycache__/
 *.py[cod]
 .pytest_cache/
@@ -8,7 +7,7 @@ __pycache__/
 chroma_data/
 .env
 frontend/.next/
+frontend/out/
 frontend/node_modules/
 dist/
 *.log
-!demo_logs/auth_demo.log

Dockerfile

@@ -1,5 +1,15 @@
-# Hugging Face Spaces (Docker SDK) — app must listen on 7860.
-# Space has no bundled Postgres/Redis; backend degrades with SKIP_DB / no REDIS_URL.
+# Hugging Face Spaces (Docker): API + static Next.js dashboard at /ui/
+FROM node:22-alpine AS frontend_build
+WORKDIR /build/frontend
+COPY frontend/package.json frontend/package-lock.json ./
+RUN npm ci
+COPY frontend ./
+ENV NEXT_TELEMETRY_DISABLED=1 \
+    NEXT_STATIC_EXPORT=1 \
+    NEXT_PUBLIC_BASE_PATH=/ui \
+    NEXT_PUBLIC_API_URL=
+RUN npm run build
+
 FROM python:3.12-slim
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
@@ -22,6 +32,7 @@ COPY requirements.txt /app/requirements.txt
 RUN pip install --no-cache-dir -r /app/requirements.txt
 
 COPY . /app
+COPY --from=frontend_build /build/frontend/out /app/frontend/out
 
 RUN mkdir -p /app/demo_logs
 

README.md

@@ -14,6 +14,22 @@ short_description: SentinelAI — Autonomous Multi-Agent AI SOC
 
 ---
 
+---
+title: SentinelAI
+emoji: 🏃
+colorFrom: red
+colorTo: pink
+sdk: docker
+app_port: 7860
+pinned: false
+license: apache-2.0
+short_description: SentinelAI — Autonomous Multi-Agent AI SOC
+---
+
+**This Hugging Face Space** serves the SOC dashboard at **`/ui/`** (static Next.js behind FastAPI). Open the Space URL in a browser and you are redirected from `/` to the deck; API docs stay at **`/docs`**. The container uses `SKIP_DB=1` (no bundled PostgreSQL/Redis).
+
+---
+
 # SentinelAI — Autonomous Multi-Agent AI SOC
 
 SentinelAI is a hackathon-grade, production-shaped **autonomous Security Operations Center**. It continuously ingests telemetry through collector agents, normalizes and enriches events, runs multi-modal detection (rules + heuristics + optional LLM reasoning on AMD ROCm), correlates attack chains, scores risk, drafts analyst narratives, emits remediation, and fans out alerts—while a **Next.js 15** command deck visualizes live operations.

backend/app/main.py

@@ -12,8 +12,10 @@ import threading
 from pathlib import Path
 from typing import Annotated, Any
 
-from fastapi import Depends, FastAPI, WebSocket, WebSocketDisconnect
+from fastapi import Depends, FastAPI, Request, WebSocket, WebSocketDisconnect
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import RedirectResponse
+from fastapi.staticfiles import StaticFiles
 
 ROOT = Path(__file__).resolve().parents[2]
 if str(ROOT) not in sys.path:
@@ -174,6 +176,10 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
+_UI_STATIC = ROOT / "frontend" / "out"
+if _UI_STATIC.is_dir():
+    app.mount("/ui", StaticFiles(directory=str(_UI_STATIC), html=True), name="ui")
+
 
 async def get_session():
     if os.getenv("SKIP_DB", "").lower() in {"1", "true", "yes"}:
@@ -280,10 +286,14 @@ async def replay_buffer():
 
 
 @app.get("/")
-async def root():
-    """Landing hint — FastAPI did not define `/` before; browsers hitting only the host saw 404."""
+async def root(request: Request):
+    """Browsers get the Next dashboard at `/ui` when static export is baked in; API clients keep JSON."""
+    accept = request.headers.get("accept") or ""
+    if _UI_STATIC.is_dir() and accept.startswith("text/html"):
+        return RedirectResponse(url="/ui/", status_code=302)
     return {
         "service": "SentinelAI SOC API",
+        "dashboard": "/ui/",
         "docs": "/docs",
         "health": "/health",
         "openapi_json": "/openapi.json",

frontend/next.config.ts

@@ -1,6 +1,10 @@
 import type { NextConfig } from "next";
 import path from "path";
 
+/** When `NEXT_STATIC_EXPORT=1`, emit `out/` for embedding behind FastAPI (e.g. Hugging Face Docker Space). */
+const staticExport = process.env.NEXT_STATIC_EXPORT === "1";
+const basePath = process.env.NEXT_PUBLIC_BASE_PATH?.trim() ?? "";
+
 const nextConfig: NextConfig = {
   // Keeps output file tracing anchored to this app when multiple lockfiles exist on the machine.
   outputFileTracingRoot: path.join(process.cwd()),
@@ -8,6 +12,13 @@ const nextConfig: NextConfig = {
   eslint: {
     ignoreDuringBuilds: true,
   },
+  ...(staticExport
+    ? {
+        output: "export" as const,
+        images: { unoptimized: true },
+      }
+    : {}),
+  ...(basePath ? { basePath } : {}),
 };
 
 export default nextConfig;

frontend/src/app/page.tsx

@@ -71,13 +71,27 @@ function normalizeApiOrigin(raw: string): string {
   }
 }
 
-function apiBase() {
-  const raw = process.env.NEXT_PUBLIC_API_URL ?? "http://127.0.0.1:8000";
+function apiBase(): string {
+  const raw = process.env.NEXT_PUBLIC_API_URL;
+  if (raw === undefined || raw === "") {
+    if (typeof window !== "undefined") {
+      return window.location.origin;
+    }
+    return "";
+  }
   return normalizeApiOrigin(raw);
 }
 
-function wsUrl() {
-  const base = apiBase();
+function wsUrl(): string {
+  const raw = process.env.NEXT_PUBLIC_API_URL;
+  if (raw === undefined || raw === "") {
+    if (typeof window !== "undefined") {
+      const proto = window.location.protocol === "https:" ? "wss:" : "ws:";
+      return `${proto}//${window.location.host}/live-events`;
+    }
+    return "ws://127.0.0.1:8000/live-events";
+  }
+  const base = normalizeApiOrigin(raw);
   return base.replace(/^http/, "ws") + "/live-events";
 }