Laravel Rebel — Web Admin Panel

A security-operations dashboard for your auth stack. A clean Blade + vanilla-JS panel that hydrates entirely from the Rebel Admin API: security overview, OTP/step-up funnels, channels, providers, audit explorer, devices, risk rules, anomalies, AI copilot and compliance — light/dark, tenant-aware, no JS framework required. Part of the padosoft/laravel-rebel-* suite.

Table of contents

• What it is
• Screenshots
• Why this panel
• Rebel Admin Panel vs the alternatives
• Installation
• Configuration
• Sections
• Architecture
• Security notes
• .env.example
• Testing & License

What it is

The web UI of the Rebel control plane. It does not query your database directly — it renders a skeleton and hydrates each widget over the Admin API (AbortController fetch, explicit loading/empty/error states). It's deliberately dependency-light: Blade + a single vanilla-JS file + CSS variables, no Alpine/Livewire/React/Vue required, Bootstrap-compatible.

Depends on padosoft/laravel-rebel-core and padosoft/laravel-rebel-admin-api (the data source).

v0.1.0 status: the full shell (10 sections, theming, tenant/period context, access gate) is in place; Security Overview and Audit Explorer hydrate from the live API, and the remaining sections render an "endpoint pending" state until their Admin API endpoints ship in upcoming releases.

Screenshots

Why this panel

Rebel Admin Panel vs the alternatives

Building an auth-ops dashboard, compared:

Legend: ✅ built-in · ➖ partial / DIY · ❌ not available.

Installation

composer require padosoft/laravel-rebel-admin
php artisan vendor:publish --tag="rebel-admin-config"
php artisan vendor:publish --tag="rebel-admin-assets"   # publishes CSS/JS to public/vendor/laravel-rebel-admin

Grant access by defining the rebel-admin Gate (fail-closed by default):

Gate::define('rebel-admin', fn ($user) => $user->is_admin === true);

Visit /admin/rebel.

Configuration

File config/rebel-admin.php:

Sections

Overview · OTP & Step-up Funnels · Channel Performance · Provider Health · Audit Explorer · Device & Session Trust · Risk Rules · Anomaly Detection · AI Security Copilot · Compliance Center. See docs/admin-panel-template-spec.md for the full per-section component + endpoint specification.

Architecture

Browser ──GET /admin/rebel/{section}──► PanelController ──► Blade shell (skeleton + data-rebel-widget)
                                                                   │
   rebel-admin.js scans [data-rebel-widget], for each:            │
        AbortController fetch ──► {api_base}/<endpoint> (Admin API) ──► render (cards/table) | empty | error

Each section is one Blade page that renders the skeleton and declares its widgets via data-rebel-widget + data-endpoint; rebel-admin.js hydrates them and re-fetches on tenant/period changes.

Security notes

• No direct DB access from the UI — only the Admin API, which is itself permission-gated and tenant-scoped.
• Fail-closed: the panel requires the rebel-admin ability by default.
• No plaintext PII: the Admin API only exposes HMAC'd identifiers; the panel renders text via textContent (no innerHTML interpolation of data).
• Same-origin, CSRF-aware requests.

.env.example

REBEL_ADMIN_PREFIX=admin/rebel
REBEL_ADMIN_GUARD=
REBEL_ADMIN_ABILITY=rebel-admin
REBEL_ADMIN_API_BASE=/rebel/admin/api/v1
REBEL_ADMIN_LOGIN_REDIRECT=/login

Testing & License

composer test      # Pest (access gate, shell rendering, sections, fail-closed)
composer phpstan   # static analysis, level max
composer pint      # code style

License: MIT — see LICENSE. Part of the padosoft/laravel-rebel suite.