Demo surfaces
Five entry points, one stack
Everything below is live · synthetic data only
/demo
Live ops dashboard
Top-tile counters · punch heatmap · 7-day trend · verdict pie · pending approvals · geofences · holidays · live feed.
Open dashboard →
/mobile-demo
Mobile prototype (browser)
Walkthrough of the actual Flutter app — punch (L1/L2), face match (L3), leave, tour, month grid, manager view, profile.
Open prototype →
/admin
Admin console
Real sign-in (sb-IAM). 16 Blade pages: today/late/absent · leaves · tours · employees · devices · geofences · holidays · reports + CSV.
Sign in →
POST /api/v1/punch
GET /api/v1/me
POST /api/v1/leaves
GET /api/v1/manager/team/today
POST /api/v1/face/enroll
/api/documentation
OpenAPI 3.1 reference
Full Swagger UI — every endpoint with request / response schemas, scopes, examples. Generated from PHP attributes.
Browse API →
mobile
api
audit
sb-iam
postgres
replica
/doc
Architecture & runbooks
Mermaid diagrams · data model · biometric flow · DigiLocker · Parichay · security · runbook · changelog.
Read docs →
200 OK
/api/healthz
Service health
Liveness probe — DB, Redis, audit pipeline, Vault transit. Returns JSON for scrapers.
Probe →
Right now
What the demo data looks like
Pending leaves
6
awaiting approver
Pending tours
0
out-of-station
Active geofences
9
point-in-polygon
Holidays loaded
9
next 12 months
Identity tiers
3
L1 / L2 / L3
phpunit
64 / 64
all green
Capabilities
Nine pillars that make this parliament-grade
🔐
Crypto-bound punches
Each IN/OUT carries a P-256 ECDSA signature from the bound device. Replay nonce, server-side verify, six rejection verdicts.
More →
👤
Three identity tiers
L1 device + crypto, L2 + on-device biometric, L3 + self-hosted face match (AES-256-GCM, Vault-transit-wrapped DEKs, liveness gate).
More →
📍
GeoJSON geofences
Point-in-polygon + Wi-Fi SSID allowlist. PostGIS-ready upgrade path. Per-cohort applies-to allowlists.
More →
📋
CCS leave engine
CL/EL/HPL/COMMUTED/CCL/RH with prefix/suffix/holiday rules, per-cohort caps, half-day, balance ledger, cancel + auto-credit.
More →
🛂
eKYC self-enrollment
DigiLocker PKCE flow, name + DOB match against the roster. No raw Aadhaar, DOB or photo bytes ever persisted.
More →
🛡️
Append-only audit
Every state-changing call streams via Redis to sds_audit Postgres. Logical replication to a read-only replica.
More →
📱
Flutter mobile app
15+ screens: punch, face-punch, leave, tour, devices, profile, eKYC enroll, manager view. Offline-tolerant queue.
More →
🧑💼
Manager dashboard
/v1/manager/* — team-today, absent, pending approvals, summary. JSONB reporting-chain scope, RBAC-gated.
More →
🏛️
sb-IAM SSO
OAuth2 PKCE against sb-iam.rajyasabha.digital. Web + mobile clients, fine-grained scopes, Parichay-bridged identity.
More →
End-to-end
A single punch, from finger to ledger
1
Mobile
User taps PUNCH IN. App collects GPS, Wi-Fi BSSID, device key, optional biometric.
2
Sign
Payload (employee_id, ts, nonce, geo) signed with the device key (P-256 ECDSA).
3
API
POST /v1/punch. Server verifies sig, replay nonce, geofence, biometric, liveness.
4
Decide
Verdict resolved (accepted / rejected_*). Required tier looked up by cohort+context.
5
Audit
Punch + verdict written + streamed to sds_audit. Replicated to read-only replica.
Ready to see it move?
Two clicks, two surfaces — desktop ops and the mobile prototype, both wired to the same live API and the same synthetic dataset.