Skip to content
Teros Platform Docs

Ops (apps/ops)

apps/ops is the internal-facing Next.js (App Router) app. It is the only frontend that exposes platform-administration surfaces and the only one that the company-admin, company-member, teros-ops, and teros-ops-admin roles ever see.

Audiences

Section titled “Audiences”

Two very different audiences share one app:

AudienceRolesScope
Company userscompany-admin, company-memberTheir own organizationId only
Teros staffteros-ops, teros-ops-adminCross-organization access

The page surface is gated by role at the layout level. Routes that surface cross-organization data (e.g. candidate search across the pool, audit log across orgs) live behind a Teros-ops-only layout. Pages that mutate platform-wide state (legacy migrations, irreversible admin tools) are further gated to teros-ops-admin.

Key flows

Section titled “Key flows”
  • Company dashboard — overview of pipeline state, recent activity, open postings.
  • Candidate search — Teros-ops cross-pool search; companies see candidates that have engaged with their postings.
  • Job postings — create, edit, close, and review applications for a company’s postings.
  • Pipeline management — advance candidates through stages, schedule interviews, leave feedback (company-member is limited to feedback/interview steps; company-admin can advance/reject).
  • Settings & team — invite/remove company members, edit the company profile (admins only).
  • Audit log — every privileged action is recorded; companies see their own org’s log, Teros-ops sees the platform-wide log.

Routes (sketch)

Section titled “Routes (sketch)”
/                              Dashboard (role-aware)
/login                         WorkOS AuthKit handoff
/candidates                    Search candidates (ops cross-org, company within their pipeline)
/candidates/[id]               Candidate detail
/jobs                          Job postings list
/jobs/new                      Create posting
/jobs/[id]                     Posting detail + applicants
/applications/[id]             Application detail + stage events
/settings/team                 Manage company members (company-admin)
/audit                         Audit log
/ops/...                       Teros-ops-only surfaces (matches /v1/ops-dashboard on the API)
/ops/admin/...                 Teros-ops-admin-only surfaces

The exact route table lives in apps/ops/src/app/**; treat the sketch above as orientation, not contract.

teros-ops vs. teros-ops-admin at the page level

Section titled “teros-ops vs. teros-ops-admin at the page level”
  • teros-ops sees every Teros-ops surface: candidate search, pipelines across companies, ops dashboard, audit log.
  • teros-ops-admin is the only role that sees admin-only routes — legacy file migration controls and other one-shot maintenance flows. The Permissions Matrix is the canonical list of which endpoints require which role; the Ops layout should gate the page based on the same set.

Auth enforcement

Section titled “Auth enforcement”
  • WorkOS AuthKit for sessions; packages/auth-config for route protection at the middleware layer.
  • The middleware redirects anonymous users to sign-in, and prevents users without the required role from reaching role-gated layouts.
  • Server actions and Server Components carry the WorkOS JWT and call apps/api; the API is what actually enforces the role check on the data.