AtomQuest Hackathon 2026 Β· Built with Next.js, Prisma, PostgreSQL & Azure AD
Cadence is a production-ready, serverless, role-based Goal Setting & Tracking Portal that eliminates the blind spots of spreadsheet-driven performance management. It enforces strict OKR rules, drives quarterly accountability, and integrates seamlessly into the Microsoft 365 ecosystem, all on a zero-ops, cost-optimized infrastructure.
- Core Features (BRD Phase 1 & 2)
- Bonus Features (Enterprise)
- Tech Stack
- How It Works
- Architecture Diagrams
- Evaluation Criteria
- Folder Structure
- Environment Variables
- Getting Started
- Verifying Azure AD SSO
- Testing the Features
Every mandatory BRD requirement is implemented, validated, and visible in the frontend.
- [x] Thrust Area Selection : Employees pick from predefined Thrust Areas when creating each goal
- [x] UoM Support : Four metric types:
MIN(Maximize),MAX(Minimize),TIMELINE(Date-based),ZERO(Zero-incident) - [x] Strict Weightage Validation : Server-enforced: min 10% per goal, total must equal exactly 100%, max 8 goals per sheet
- [x] L1 Manager Approval Workflow : Managers review, inline-edit target/weight, then approve or reject with a mandatory note
- [x] Goal Sheet Locking : Once approved, all goals are cryptographically locked in PostgreSQL (
isLocked: true) - [x] Shared / Departmental KPIs : Admin pushes a parent goal to N direct reports; sub-goals inherit the structure but allow individual weightage adjustments
- [x] Quarterly Windows (Q1:Q4) : Q1 Jul, Q2 Oct, Q3 Jan, Q4 Apr : enforced check-in periods mapped to
CheckInPeriodenum - [x] Employee Check-in Submission : Employees log
actualValue,status(NOT_STARTED / ON_TRACK / COMPLETED), and a note per goal per quarter - [x] Manager Check-in Review : Managers review achievements, leave structured comments, and mark reviews
- [x] Computed Score Engine : System auto-calculates progress score based on UoM type:
actual/targetfor MIN,target/actualfor MAX, binary for ZERO/TIMELINE
Significant progress was made on the enterprise-grade bonus requirements to demonstrate production readiness.
- [x] OAuth 2.0 / OIDC via
next-authv5 with MicrosoftEntraID provider - [x] "Sign in with Microsoft" button visible on the login page, directly below the Sign In button
- [x] Pre-Provisioned Identity Model : For strict enterprise security, users must be pre-provisioned in the PostgreSQL database. If an unauthorized Azure AD user attempts to log in, they are safely rejected.
- [x] SSO Bridge (
/sso-callback) : After successful OAuth validation against the database, creates a customaq_sessioncookie and redirects to the correct role dashboard based on local RBAC rules.
How it works:
- User clicks "Sign in with Microsoft" β redirected to Microsoft login
- NextAuth handles OAuth and returns the verified user identity
/sso-callbackpage queries the Postgres DB to verify the user exists and grabs their predefined organizational role- Custom JWT session cookie is created β user is redirected to their role dashboard
- [x] Goal Submitted β Manager receives a branded HTML email (Resend) to review the sheet
- [x] Goal Approved β Employee receives an email notification that their goals are locked
- [x] Goal Rejected β Employee receives an email notification that their goals require revision
- [ ] Microsoft Teams Integration β Foundation laid in
src/lib/teams.ts, but webhooks are not actively firing in the current build - [ ] Check-in Reminders β Placeholder cron infrastructure established, awaiting active dispatch logic
How it works:
src/lib/email.ts: Resend API integration with consistent branded HTML templates, triggered securely within Server Actions so they never block the main client workflow
Three configurable SLA rules run on a scheduled cron job:
| Rule | Condition | Escalation Level |
|---|---|---|
| Goal Submission Overdue | Employee hasn't submitted >14 days after cycle opens | Manager notified |
| Approval Overdue | Sheet pending approval >7 days after submission | HR/Admin notified |
| Check-in Missing | Active quarter window with no check-in logged | Manager notified |
- [x] Escalation chain : Employee β Manager β HR/Admin via email + Teams, based on rule severity
- [x] Deduplication : Each rule type is only triggered once per employee per cycle (idempotent via
isResolved+ metadatatypecheck) - [x] Admin Escalations Dashboard :
/admin/escalationsshows all open and resolved escalations with employee details, SLA type badges, and timestamps - [x] One-click Resolve : Admins can mark escalations as resolved directly from the dashboard
- [x] Manual Trigger : "Run Escalation Scan" button in the admin UI allows HR to trigger the engine on demand
- [x] Cron endpoint :
GET /api/cron/escalationsecured withCRON_SECRET, auto-triggered weekly via Vercel Cron
How it works:
src/lib/escalation.ts: Core rule engine; queries all employees, evaluates all 3 rules, createsEscalationLogrecords and fires notificationssrc/app/api/cron/escalation/route.ts: HTTP endpoint secured byAuthorization: Bearer CRON_SECRETheader
Full-featured analytics dashboard for Admin / HR at /admin/analytics:
- [x] Top KPI Stats : Total employees, submitted, approved, not started, submission rate %, approval rate %, avg progress score, check-ins logged
- [x] Submissions by Department : Grouped bar chart (Recharts) comparing submitted vs approved per department
- [x] Goal Distribution by Thrust Area : Donut pie chart showing spread across thrust areas
- [x] Quarter-on-Quarter (QoQ) Progress : Line chart showing average computed score per Q1/Q2/Q3/Q4
- [x] Goal Distribution by UoM Type : Bar chart breaking down MIN/MAX/TIMELINE/ZERO goals
- [x] Goal Sheet Status Breakdown : Donut chart: Draft / Pending / Approved / Rejected / Locked
- [x] Department Table : Sortable table with progress bar per department
- [x] Manager Effectiveness Dashboard :
/admin/analytics/manager-effectiveness: grouped bar chart + table comparing submission rate, approval rate, avg approval time, and check-in comment rate across all L1 managers - [x] CSV Export :
GET /api/export?year=YYYYgenerates a full goal sheet export for HR
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router, Server Components, Server Actions) |
| Database | PostgreSQL (Supabase/Neon) via Prisma ORM |
| Auth | Auth.js v5 (NextAuth) : Credentials + Microsoft Entra ID |
| Styling | Tailwind CSS v4 + Shadcn UI + Radix Primitives |
| Charts | Recharts |
| Resend API | |
| Teams | Microsoft Teams Incoming Webhook (Adaptive Cards) |
| Deployment | Vercel (Serverless + Edge + Cron Jobs) |
| Theming | next-themes (Dark / Light mode, default: Light) |
Every Server Action begins with getSession() β validates the JWT cookie β checks the user's role before any DB query. There is no client-side role gating : all authorization is server-enforced.
- Mutations β Next.js Server Actions (type-safe RPC, no REST endpoints needed)
- Reads β React Server Components with direct Prisma queries (zero client-side fetching)
- Notifications β
Promise.all([email, teams])fired after successful mutations, never blocking the main flow - Scheduled Jobs β Vercel Cron β secured HTTP endpoints β DB queries + notifications
Custom aq_session JWT cookie (signed with SESSION_SECRET using jose) stores userId, role, name, email. The SSO bridge at /sso-callback translates the NextAuth session into this custom format.
graph TD
Browser["Browser (React / Tailwind)"] -->|App Router RSC| NextJS["Next.js 16 Serverless"]
subgraph "Next.js Runtime"
NextJS --> SA["Server Actions (mutations)"]
NextJS --> RSC["Server Components (reads)"]
NextJS --> API["API Routes (cron, export, auth)"]
end
SA -->|Prisma ORM| DB[("PostgreSQL (Supabase)")]
RSC -->|Prisma ORM| DB
SA -->|Resend SDK| Email["Resend Email"]
SA -->|HTTP Webhook| Teams["Microsoft Teams"]
API -->|NextAuth| Entra["Microsoft Entra ID"]
Cron["Vercel Cron"] -->|Bearer CRON_SECRET| API
graph LR
Root["RootLayout (ThemeProvider, Toaster)"] --> Auth["(auth) Group"]
Root --> Dashboard["(dashboard) Group"]
Auth --> Login["LoginPage\n- Canvas mesh animation\n- SSO button\n- Demo accounts"]
Dashboard --> Sidebar["Sidebar\n- Role-based nav\n- Theme toggle\n- User info"]
Dashboard --> Employee["Employee Pages\n- Goals CRUD\n- Check-ins"]
Dashboard --> Manager["Manager Pages\n- Approvals\n- Check-in review"]
Dashboard --> Admin["Admin Pages\n- Analytics (6 charts)\n- Escalations\n- Integrations\n- Audit Log"]
sequenceDiagram
actor E as Employee
participant UI as Next.js Client
participant SA as Server Action
participant DB as PostgreSQL
actor M as Manager
E->>UI: Fills goals, clicks Submit
UI->>SA: submitGoalSheetAction(sheetId)
SA->>DB: Validate: goals>0, total==100%, each>=10%
alt Validation fails
DB-->>SA: Error
SA-->>UI: Return error state (toast)
else Passes
SA->>DB: UPDATE status = PENDING_APPROVAL
SA-->>UI: Success (revalidate path)
SA--x M: Email + Teams card (async)
end
M->>UI: Opens /manager/approvals
M->>SA: approveGoalSheetAction(sheetId)
SA->>DB: UPDATE status=APPROVED, isLocked=true (transaction)
SA--x E: Email + Teams card (async)
stateDiagram-v2
[*] --> DRAFT : Employee creates sheet
DRAFT --> PENDING_APPROVAL : Employee submits\n(total == 100%)
PENDING_APPROVAL --> REJECTED : Manager returns\n(with note)
REJECTED --> PENDING_APPROVAL : Employee revises\n& resubmits
PENDING_APPROVAL --> APPROVED : Manager approves\n(goals locked)
APPROVED --> LOCKED : System locks\n(post-approval)
state LOCKED {
direction LR
[*] --> Q1_CheckIn
Q1_CheckIn --> Q2_CheckIn
Q2_CheckIn --> Q3_CheckIn
Q3_CheckIn --> Q4_CheckIn
Q4_CheckIn --> [*]
}
LOCKED --> [*] : Cycle year ends
Every BRD requirement is implemented with full server-side validation. Goal weightage math (min 10%, total = 100%) is enforced on both client (UX) and server (security). The computed score engine correctly handles all 4 UoM types. The escalation engine is idempotent : safe to run multiple times per day.
- Phase 1: Goal creation, L1 approval, shared KPIs β
- Phase 2: Quarterly check-ins, manager review, computed scores β
- Bonus 5.1: Azure AD SSO with auto-provisioning and role mapping β
- Bonus 5.2: Email (Resend) + Teams webhook with deep-links β
- Bonus 5.3: Three-rule escalation engine with admin dashboard β
- Bonus 5.4: Six analytics charts + manager effectiveness dashboard β
- Visually stunning login page with animated mesh canvas and glassmorphism showcase section
- Light/Dark theme toggle (default: Light) with full theme-aware CSS variables
- Demo accounts pre-filled with one click : evaluators can test all 3 roles instantly
- Toasts for all actions, inline form validation, loading states on every button
- Responsive layout : works on mobile, tablet, and desktop
- End-to-end TypeScript : zero
anytypes in business logic - All Server Actions validate input with Zod before touching the DB
- Prisma transactions ensure atomic goal locking (approve + lock in one DB call)
- Audit Log captures every mutation with before/after JSON snapshots
- SSO bridge handles
upsertso concurrent logins are safe
- Zero dedicated server : Vercel Serverless scales to zero when idle
- Connection pooling : Supabase/Neon pgBouncer prevents connection exhaustion
- React Server Components : Only interactive islands use client JS (charts, forms)
- No third-party paid services : Resend free tier (3k emails/month), Teams webhook is free, Neon/Supabase free tier covers the DB
atomquest/
βββ prisma/
β βββ schema.prisma # Full DB schema (User, GoalSheet, Goal, CheckIn, EscalationLog, AuditLog)
β βββ seed.ts # Seeds 3 demo users (Employee, Manager, Admin) + sample goals
β
βββ src/
β βββ app/
β β βββ (auth)/
β β β βββ login/
β β β βββ page.tsx # Login page: mesh canvas, SSO button, demo accounts, feature showcase
β β β
β β βββ (dashboard)/
β β β βββ employee/
β β β β βββ page.tsx # Employee dashboard (goal status, check-in summary)
β β β β βββ goals/page.tsx # Goal CRUD + submit sheet
β β β β βββ checkins/page.tsx # Quarterly check-in submission
β β β β
β β β βββ manager/
β β β β βββ page.tsx # Manager dashboard
β β β β βββ approvals/page.tsx # Pending + recently approved sheets
β β β β βββ approvals/[userId]/page.tsx # Per-employee approval detail + inline edit
β β β β βββ checkins/page.tsx # Manager check-in review + comment
β β β β
β β β βββ admin/
β β β βββ page.tsx # Admin dashboard
β β β βββ employees/page.tsx # Employee directory
β β β βββ goals/page.tsx # Push shared goals
β β β βββ analytics/page.tsx # 6-chart analytics dashboard
β β β βββ analytics/manager-effectiveness/page.tsx # Manager comparison table
β β β βββ escalations/page.tsx # Escalation log + resolve
β β β βββ audit/page.tsx # Full audit trail
β β β βββ integrations/page.tsx # Live SSO/Email/Teams status
β β β
β β βββ api/
β β β βββ auth/[...nextauth]/route.ts # NextAuth OAuth handler
β β β βββ cron/
β β β β βββ escalation/route.ts # Escalation engine cron (weekly)
β β β β βββ checkin-reminder/route.ts # Check-in reminder cron (quarterly)
β β β βββ export/route.ts # CSV export for HR
β β β
β β βββ sso-callback/page.tsx # SSO bridge: auto-provision + role map + redirect
β β βββ globals.css # Design tokens, dark/light vars, status badge classes
β β βββ layout.tsx # Root layout with ThemeProvider
β β
β βββ components/
β β βββ ui/ # Shadcn primitives (Button, Card, Badge, Dialogβ¦)
β β βββ layout/
β β β βββ sidebar.tsx # Role-adaptive sidebar with theme toggle
β β βββ goals/ # Goal form, goal row, manager goal row
β β βββ admin/
β β βββ analytics-charts.tsx # 6 Recharts chart components
β β βββ push-shared-goal-form.tsx # Admin shared goal pusher
β β βββ resolve-escalation-button.tsx
β β βββ trigger-escalation-button.tsx # Manual escalation scan trigger
β β βββ unlock-goal-button.tsx
β β
β βββ lib/
β βββ auth.ts # NextAuth config with group claim forwarding
β βββ db.ts # Prisma singleton
β βββ email.ts # Resend integration (5 typed email senders)
β βββ teams.ts # Teams webhook (6 typed notification senders with deep-links)
β βββ escalation.ts # 3-rule escalation engine
β βββ session.ts # Custom JWT session (jose)
β βββ score-utils.ts # UoM-aware computed score calculation
β βββ goal-utils.ts # Thrust areas, validation constants
β βββ role-utils.ts # Role β dashboard redirect map
β βββ actions/
β βββ auth.actions.ts # Login, logout Server Actions
β βββ goal.actions.ts # CRUD + submit (with email+teams)
β βββ approval.actions.ts # Approve, reject, inline edit (with email+teams)
β βββ checkin.actions.ts # Submit check-in, manager comment (with email+teams)
β βββ escalation.actions.ts # Resolve escalation
β βββ admin.actions.ts # Push shared goal, unlock goal
β
βββ .env # Runtime secrets (never commit)
βββ .env.example # Template with all required variable names
βββ vercel.json # Cron job schedule definitions
βββ tailwind.config.ts # Extended theme config
Copy .env.example to .env and fill in your values.
# ββ Database βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
DATABASE_URL="postgresql://user:pass@host:5432/db?pgbouncer=true"
DIRECT_URL="postgresql://user:pass@host:5432/db"
# ββ Session ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
SESSION_SECRET="<32-byte base64 random string>"
AUTH_SECRET="<same as SESSION_SECRET>"
# ββ Microsoft Entra ID (Azure AD) SSO βββββββββββββββββββββββββββββββββββββββββ
AZURE_AD_CLIENT_ID="" # App Registration β Application (client) ID
AZURE_AD_CLIENT_SECRET="" # App Registration β Certificates & Secrets
AZURE_AD_TENANT_ID="" # App Registration β Directory (tenant) ID
AZURE_AD_GROUP_EMPLOYEE="" # Entra ID β Groups β Cadence-Employees β Object ID
AZURE_AD_GROUP_MANAGER="" # Entra ID β Groups β Cadence-Managers β Object ID
AZURE_AD_GROUP_ADMIN="" # Entra ID β Groups β Cadence-Admins β Object ID
# ββ Email (Resend) βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RESEND_API_KEY="" # resend.com β API Keys (free: 3,000/month)
# ββ Microsoft Teams ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TEAMS_WEBHOOK_URL="" # Teams channel β Connectors β Incoming Webhook β URL
# ββ App ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
NEXT_PUBLIC_APP_URL="https://your-app.vercel.app"
# ββ Cron Security ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
CRON_SECRET="<random hex string>"git clone https://github.com/Shubh-Raj/Cadence.git
cd Cadence
npm installcp .env.example .env
# Edit .env with your valuesnpx prisma db push
npx prisma db seedSeeds three demo users: employee@cadence.dev, manager@cadence.dev, admin@cadence.dev (all with password Role@123).
npm run devOpen http://localhost:3000 : click any demo account on the login page to auto-fill credentials.
vercel deploySet all .env variables in Vercel β Project Settings β Environment Variables. Cron jobs in vercel.json are automatically registered on deploy.
After registering your app in portal.azure.com:
- Go to App Registrations β your app
- Authentication tab β Redirect URI is
https://{YOUR_DOMAIN}/api/auth/callback/microsoft-entra-id - Supported account types is "Any Entra ID Tenant + Personal Microsoft accounts"
- Manifest tab β
"groupMembershipClaims": "SecurityGroup"(notnull)
- Entra ID β Groups : Three groups exist:
Cadence-Employees,Cadence-Managers,Cadence-Admins - Your test user is a member of at least one group
- Object IDs are copied to
.env
- Open the portal β click "Sign in with Microsoft"
- Log in with a corporate Microsoft account
- You should be redirected to the correct role dashboard
- Check Admin β Integrations page : SSO should show Active β
- Sign in with an account not yet in the DB
- User should be auto-created (not redirected to
not_provisionederror) - Check Admin β Employees : new user appears with correct role
- Log in as Employee (
employee@cadence.dev) - Create goals totalling 100% β Submit sheet
- Check the Manager's inbox : should receive a branded email with a "Review Goals β" button
- Configure
TEAMS_WEBHOOK_URLin.env - Repeat the goal submission above
- Your Teams channel should receive an Adaptive Card with the employee's name and a direct link to the review page
- Log in as Admin
- Go to Escalations β click "Run Escalation Scan"
- Any employees >14 days overdue will generate escalation logs
- Resolve one β it moves to the Resolved section
- Log in as Admin β go to Analytics
- All 6 charts render with real data from the seeded users
- Go to Mgr Effectiveness β manager comparison table appears
- Click Export CSV to download the full goal sheet dataset
Built for AtomQuest Hackathon 2026 Β· Cadence Portal Β·