// SETTINGS PLATFORM — Firm · Security · Roles · Users · Teams const Ts_f = window.ArbiterTokens; function SettingsFirm({ data }) { const stg = window.__stg; const f = data.firm; const Card = window.SettingsSectionCard; const Row = window.SettingsRow; return (
Legal name{f.legalName}
Founded{f.founded}
Headcount{f.headcount}{f.lawyers} lawyers
Offices{f.offices.length}
Fiscal year{f.fiscalYearStart}
Practice areas{f.practiceAreas.length}
+ Office}>
{f.offices.map(o => ( ))}
Office Country Address Seats
{o.city} {o.primary && HQ} {o.country} {o.address} {o.seats}
{f.practiceAreas.map(pa => ( {pa} × ))}
{[ { label: 'Primary logo', file: f.branding.logoPrimary, note: 'SVG preferred · 4:1 horizontal' }, { label: 'Mark', file: f.branding.logoMark, note: 'Square · 1:1 app icon' }, { label: 'Favicon', file: f.branding.favicon, note: '32×32 · 16×16' }, { label: 'Letterhead', file: f.branding.letterhead, note: 'PDF · A4 + US Letter' }, { label: 'Email banner', file: f.branding.emailBanner, note: '1200×320 · PNG/JPG' }, ].map(b => (
{b.label}
{b.file.split('/').pop()}
{b.note}
))}
Accent color
Invoice theme
); } function SettingsSecurity({ data }) { const stg = window.__stg; const s = data.security; const Card = window.SettingsSectionCard; const infra = window.__stg_infra; const { useToast, InfoTip, DangerZone, TypedConfirmDialog, AuditDrawer, sampleHistory } = infra; const toast = useToast(); const { useState } = React; const [ssoWizard, setSsoWizard] = useState(false); const [pwDetail, setPwDetail] = useState(false); const [confirm, setConfirm] = useState(null); const [audit, setAudit] = useState(null); // Policy tooltips (key→explanation) const policyTips = { 'mfa.required': { text: 'Require every user to enroll multi-factor authentication before accessing the firm.', recommended: true }, 'mfa.methods': { text: 'Which MFA factors are accepted. WebAuthn/passkeys are strongest; SMS is weakest (SIM-swap risk).', recommended: true }, 'session.duration': { text: 'How long a login session stays valid before the user must re-authenticate.', recommended: true }, 'session.idle': { text: 'Idle time after which the session is invalidated. Shorter is safer; 15m is standard for legal.', recommended: true }, 'password.complexity': { text: 'Minimum character mix. Length > complexity per NIST 800-63B.', recommended: false }, 'password.rotation': { text: 'Force password change on schedule. NIST now advises against rotation unless breach suspected.', recommended: false }, 'device.trust': { text: 'Only allow logins from devices that pass attestation (managed laptops, compliant mobile).', recommended: true }, 'ip.allowlist.enforced': { text: 'Reject all logins outside the CIDR ranges listed below. Use with caution — break-glass account required.', recommended: false }, 'audit.retention': { text: 'How long audit logs are kept. Regulators generally require 7 years for legal work.', recommended: true }, 'sso.enforced': { text: 'All logins must go through your IdP. Disables local password login entirely.', recommended: true }, 'sso.jit': { text: 'Auto-provision users on first SSO login. Assign default role below.', recommended: false }, 'data.residency': { text: 'Pin tenant data to a specific Azure region. Required for EU (GDPR) and certain contracts.', recommended: false }, }; return (
Security score{s.summary.score}Overall grade
MFA coverage{s.summary.mfaCoverage}%Target 100%
Risky events 7d{s.riskyEvents.length}
Key rotation{s.summary.keyRotationDueDays}dUntil next
Policies{s.policies.length}All enforced
IP allowlists{s.ipAllowlist.length}
{/* SSO setup + password policy quick actions */}
Single Sign-On (SSO) } action={}>
Provider
Azure AD (SAML 2.0)
Status
● Connected
Entity ID
urn:arbiter:prod:sp
JIT provisioning
Enabled · default role: Associate
 Password policy } action={}>
Min length
14 chars
History
Last 10 blocked
Rotation
On compromise only
Breach check
● HIBP enabled
{pwDetail && <>
Complexity
3 of 4 classes
Max age
Lockout
10 fails / 15m
Grace period
48h on force-change
}
setAudit({ label: 'Security policies', history: sampleHistory('policies') })}>View history}>
{s.policies.map(p => { const tip = policyTips[p.id]; return ( );})}
Policy Value Status
{p.label}{tip && } {p.value} {p.enforced ? 'Enforced' : 'Audit only'}
+ Add range}>
{s.ipAllowlist.map(ip => ( ))}
Label CIDR Scope
{ip.label} {ip.cidr} {ip.scope}
View all}>
{s.riskyEvents.map(e => (
{e.user} {e.severity}
{e.event}
{e.when}
))}
At rest
{s.encryption.atRest}
In transit
{s.encryption.inTransit}
Key rotation
{s.encryption.keyRotation}
Last rotation {s.encryption.lastRotation}
 {/* Danger zone — #24 */}
Revoke all active sessions
Forces every logged-in user to re-authenticate immediately. Use if you suspect a token leak. Impacts {data.users?.length || 0} users.
Disable SSO (fall back to local login)
Users will be forced to set or reset local passwords. Break-glass accounts must be ready.
Rotate master encryption key
Re-encrypts all data with a new CMK. Takes ~2 hours. Read-only mode during rotation.
 setConfirm(null)} onConfirm={() => { toast.push({ kind: 'warn', title: 'All sessions revoked', message: '134 users signed out' }); setConfirm(null); }} /> setConfirm(null)} onConfirm={() => { toast.push({ kind: 'error', title: 'SSO disabled' }); setConfirm(null); }} /> setConfirm(null)} onConfirm={() => { toast.push({ kind: 'info', title: 'CMK rotation queued', message: 'Will start at 02:00 UTC tonight' }); setConfirm(null); }} /> {/* SSO wizard modal */} {ssoWizard && setSsoWizard(false)} toast={toast} stg={stg} Ts_f={Ts_f} />} setAudit(null)} />
); } // SSO setup wizard — 4 steps function SsoWizard({ onClose, toast, stg, Ts_f }) { const { useState } = React; const [step, setStep] = useState(0); const steps = ['Provider', 'Metadata', 'Attribute mapping', 'Test & enable']; return (
e.stopPropagation()} style={{ background: '#fff', borderRadius: '10px', maxWidth: '640px', width: '100%', boxShadow: '0 16px 48px rgba(0,0,0,0.25)' }}>
SSO setup · step {step + 1} of {steps.length}
{steps.map((s, i) => (
))}
{step === 0 &&
Choose your identity provider
{['Azure AD', 'Okta', 'Google Workspace', 'ADFS', 'OneLogin', 'Custom SAML'].map(p => ( ))}
} {step === 1 &&
Upload IdP metadata XML or paste URL
— or —
Drop metadata.xml here
} {step === 2 &&
Map IdP claims → user attributes
{[['Email','http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'], ['First name','.../givenname'], ['Last name','.../surname'], ['Role','http://arbiter/role']].map(([k, v]) => (
{k}
))}
} {step === 3 &&
Test your configuration
! Enabling SSO disables local password login. Ensure you have at least one break-glass admin with a working local password.
}
{step < steps.length - 1 ? : }
); } function SettingsRoles({ data }) { const stg = window.__stg; const roles = data.roles; const perms = data.permissions; const Card = window.SettingsSectionCard; const infra = window.__stg_infra; const { useToast, ImpactPill, InfoTip, TypedConfirmDialog } = infra; const toast = useToast(); const { useState, useEffect } = React; const [selectedRole, setSelectedRole] = useState(roles[0].id); const [mobile, setMobile] = useState(false); const [hoverCell, setHoverCell] = useState(null); // { resource, action } const [confirm, setConfirm] = useState(null); const current = roles.find(r => r.id === selectedRole); const matrix = perms.matrix[selectedRole] || {}; const hasPerm = (resource, action) => { if (matrix._all && matrix._all.includes(action)) return true; return (matrix[resource] || []).includes(action); }; // Detect narrow viewport for auto-mobile layout useEffect(() => { const check = () => setMobile(window.innerWidth < 900); check(); window.addEventListener('resize', check); return () => window.removeEventListener('resize', check); }, []); return (
Roles{roles.length}
Total assignments{roles.reduce((s, r) => s + r.users, 0)}
Resources{perms.resources.length}
Actions{perms.actions.length}
Super admins{roles[0].users}
+ Role}>
{roles.map(r => (
setSelectedRole(r.id)} style={{ display: 'grid', gridTemplateColumns: '4px 1fr auto', gap: '10px', alignItems: 'center', padding: '10px 12px', cursor: 'pointer', background: selectedRole === r.id ? stg.steelBg : 'transparent', borderRadius: '6px', marginBottom: '2px', }}>
{r.name}
{r.users} users
{r.id}
))}
Permission matrix — {current?.name} } action={
{current?.id !== 'R-001' && }
}>
{current?.description}
{mobile ? ( /* Mobile stacked layout */
{perms.resources.map(resource => (
{resource}
{perms.actions.map(a => { const has = hasPerm(resource, a); return ( {has ? 'ok ' : '· '}{a} ); })}
))}
) : (
{perms.actions.map(a => )} {perms.resources.map(resource => ( {perms.actions.map(a => { const has = hasPerm(resource, a); const isHover = hoverCell?.resource === resource && hoverCell?.action === a; return ( ); })} ))}
Resource{a}
{resource}
setHoverCell({ resource, action: a })} onMouseLeave={() => setHoverCell(null)} onClick={() => toast.push({ kind: 'info', title: `Would ${has ? 'revoke' : 'grant'} ${a} on ${resource}`, message: `Affects ${current?.users || 0} users · preview only` })} style={{ display: 'inline-flex', width: '22px', height: '22px', borderRadius: '4px', background: has ? stg.emeraldBg : Ts_f.color.bg.secondary, color: has ? stg.emerald : Ts_f.color.text.tertiary, alignItems: 'center', justifyContent: 'center', fontSize: '13px', fontWeight: 700, border: `1px solid ${has ? stg.emerald : Ts_f.color.border.light}`, cursor: 'pointer', transform: isHover ? 'scale(1.15)' : 'scale(1)', transition: 'transform 0.1s', }}>{has ? 'ok' : '·'}
{isHover && (
Click to {has ? 'revoke' : 'grant'} · affects {current?.users || 0}
)}
)}
{/* Ethical walls — #9 */} Ethical walls (matter-level ACLs) } action={}>
{[ { id: 'EW-001', matter: 'M-24-0089 · Acme v. Globex', users: 'Blake H., Dana L.', reason: 'Prior representation of Globex', since: '2024-08-14' }, { id: 'EW-002', matter: 'M-25-0143 · In re: Morningstar', users: 'Rachel K.', reason: 'Spouse is adverse witness', since: '2025-02-03' }, { id: 'EW-003', matter: 'M-25-0217 · Henderson Trust', users: 'Marcus T.', reason: 'Former employee of trustee', since: '2025-06-22' }, ].map(w => ( ))}
Wall Matter Excluded users Reason Since
{w.id} {w.matter} {w.users} {w.reason} {w.since}
{/* Conflict check — #10 */}
Conflict-check rules } action={}>
Name match threshold
Jaro-Winkler ≥ 0.88
Alias handling
Expand via synonym DB
Former-client lookback
10 years
Spouse / family
Cross-check enabled
Opposing counsel cache
Refresh nightly
Auto-clear threshold
< 0.4
Default TZ
Per office
Data residency
US-East (primary) · EU-West for GDPR matters
User language
Personal override
Office TZ override
5 offices configured
setConfirm(null)} onConfirm={() => { toast.push({ kind: 'warn', title: `Deleted role ${current?.name}`, message: `${current?.users || 0} users reassigned to Associate` }); setConfirm(null); }} />
); } function SettingsUsers({ data }) { const stg = window.__stg; const users = data.users; const roles = data.roles; const Card = window.SettingsSectionCard; const infra = window.__stg_infra; const { useToast, BulkBar, EmptyState, TypedConfirmDialog, AuditDrawer, sampleHistory, InfoTip } = infra; const toast = useToast(); const { useState } = React; const [search, setSearch] = useState(''); const [filter, setFilter] = useState('all'); const [selected, setSelected] = useState(new Set()); const [confirm, setConfirm] = useState(null); // { kind, users[] } const [impersonate, setImpersonate] = useState(null); const [audit, setAudit] = useState(null); const filtered = users.filter(u => { if (filter === 'active' && u.status !== 'active') return false; if (filter === 'pending' && u.status !== 'pending') return false; if (filter === 'suspended'&& u.status !== 'suspended')return false; if (filter === 'no-mfa' && u.mfa) return false; if (search) { const q = search.toLowerCase(); return u.name.toLowerCase().includes(q) || u.email.toLowerCase().includes(q) || u.team.toLowerCase().includes(q); } return true; }); const toggleOne = (id) => { const next = new Set(selected); if (next.has(id)) next.delete(id); else next.add(id); setSelected(next); }; const toggleAll = () => { if (selected.size === filtered.length) setSelected(new Set()); else setSelected(new Set(filtered.map(u => u.id))); }; const active = users.filter(u => u.status === 'active').length; const pending = users.filter(u => u.status === 'pending').length; const suspended = users.filter(u => u.status === 'suspended').length; const noMfa = users.filter(u => !u.mfa).length; return (
Users{users.length}
Active{active}
Pending invites{pending}
Suspended{suspended}
No MFA 0 ? stg.amber : stg.emerald }}>{noMfa}
Roles{roles.length}
setSearch(e.target.value)} style={{ ...stg.input, width: '280px' }} /> {[{k:'all',l:'All'},{k:'active',l:'Active'},{k:'pending',l:'Pending'},{k:'suspended',l:'Suspended'},{k:'no-mfa',l:'No MFA'}].map(f => ( ))}
{/* SCIM drift panel — #3 */} Directory sync (SCIM) } action={}>
Provider
Azure AD
arbiter.onmicrosoft.com
Last sync
● 4 min ago
success · 148 records
Provisioned
{users.length - 2} of {users.length}
via SCIM 2.0
Drift
setAudit({ label: 'SCIM drift', history: [{ actor: 'System', action: '2 accounts exist locally but not in IdP', at: '2026-04-23 11:14 UTC' }, { actor: 'System', action: 'Drift check ran', at: '2026-04-23 11:14 UTC' }] })}>! 2 orphan accounts →
 {/* Bulk action bar — #2 */} toast.push({ kind: 'info', title: `Changed role on ${selected.size} users`, onUndo: () => toast.push({ title: 'Reverted' }) }) }, { label: 'Force MFA enrollment', onClick: () => toast.push({ kind: 'success', title: `${selected.size} users prompted to enroll MFA on next login` }) }, { label: 'Reset sessions', onClick: () => toast.push({ kind: 'warn', title: `Revoked ${selected.size} active sessions` }) }, { label: 'Export CSV', onClick: () => toast.push({ kind: 'info', title: `Exported ${selected.size} users to CSV` }) }, { label: 'Deactivate', danger: true, onClick: () => setConfirm({ kind: 'bulkDeactivate', n: selected.size }) }, ]} />
{filtered.length === 0 ? (
) : (
{filtered.map(u => { const roleObj = roles.find(r => r.name === u.role); const statusK = u.status === 'active' ? 'ok' : u.status === 'pending' ? 'warn' : u.status === 'suspended' ? 'fail' : 'pending'; const source = u.id && (u.id.charCodeAt(2) % 3 === 0) ? 'Local' : 'SCIM'; return ( ); })}
0} ref={el => { if (el) el.indeterminate = selected.size > 0 && selected.size < filtered.length; }} onChange={toggleAll} /> User Email Role Team Office Source MFA Status Last active
toggleOne(u.id)} />
{u.name.split(' ').map(n => n[0]).join('').slice(0,2)}
{u.name}
{u.email} {u.role} {u.team} {u.office} {source} {u.mfa ? on : off} {u.status} {u.lastActive} {u.status !== 'suspended' && }
)}
{/* Typed-confirm dialogs */} setConfirm(null)} onConfirm={() => { toast.push({ kind: 'warn', title: `Suspended ${confirm.user.name}`, onUndo: () => toast.push({ title: 'Reinstated' }) }); setConfirm(null); }} /> setConfirm(null)} onConfirm={() => { toast.push({ kind: 'warn', title: `Deactivated ${confirm.n} users`, onUndo: () => toast.push({ title: 'Reactivated' }) }); setSelected(new Set()); setConfirm(null); }} /> {/* Impersonation banner — UX pattern */} {impersonate && (
Impersonating {impersonate.name} · every action audited
)} {/* Audit drawer */} setAudit(null)} />
); } function SettingsTeams({ data }) { const stg = window.__stg; const teams = data.teams; const Card = window.SettingsSectionCard; const total = teams.reduce((s, t) => s + t.members, 0); const matters = teams.reduce((s, t) => s + t.mattersActive, 0); return (
Teams{teams.length}
Assignments{total}
Active matters{matters}
Practice areas{new Set(teams.map(t => t.practiceArea)).size}
+ New team}>
{teams.map(t => (
{t.name}
Lead · {t.lead}
Members
{t.members}
Matters
{t.mattersActive}
Practice
{t.practiceArea}
))}
); } window.SettingsFirm = SettingsFirm; window.SettingsSecurity = SettingsSecurity; window.SettingsRoles = SettingsRoles; window.SettingsUsers = SettingsUsers; window.SettingsTeams = SettingsTeams;