diff --git a/flake.nix b/flake.nix
index db3efb4..5b74a87 100644
--- a/flake.nix
+++ b/flake.nix
@@ -51,12 +51,18 @@
     in
     {
       packages = forAllSystems (
-        { naersk-lib, ... }:
+        { pkgs, naersk-lib, ... }:
         {
           default = naersk-lib.buildPackage {
             src = ./.;
             meta.description = "hyperhive workspace (hive-c0re, hive-ag3nt, hive-m1nd)";
           };
+          # Bundled browser assets — see ./nix/frontend.nix. Output is
+          # $out/{dashboard,agent}/ which the Rust binaries serve via
+          # tower_http::ServeDir (wired up in Phase 4 of #273).
+          frontend = pkgs.callPackage ./nix/frontend.nix {
+            branding-svg = ./branding/hyperhive.svg;
+          };
         }
       );
 
diff --git a/nix/frontend.nix b/nix/frontend.nix
new file mode 100644
index 0000000..c161ed2
--- /dev/null
+++ b/nix/frontend.nix
@@ -0,0 +1,60 @@
+{
+  buildNpmPackage,
+  lib,
+  branding-svg,
+}:
+
+# Hermetic build of the npm-managed frontend workspaces (see
+# `frontend/README.md`). Consumes `frontend/package-lock.json` as the
+# source of truth for dependency versions; `npmDepsHash` pins the
+# vendor-tarball hash so a stale lockfile fails the build instead of
+# silently fetching different upstream tarballs.
+#
+# Output layout (`$out`) — two subdirectories, one per surface, that
+# the Rust binaries serve via `tower_http::ServeDir`:
+#
+#   $out/dashboard/   the hive-c0re dashboard SPA assets
+#       index.html app.js app.js.map dashboard.css favicon.svg
+#   $out/agent/       the per-agent default UI (layered with
+#                     hyperhive.frontend.extraFiles at activation time)
+#       index.html app.js stats.html stats.js agent.css screen.html
+#
+# The dashboard favicon lives outside the npm tree (`branding/hyperhive
+# .svg` at the repo root) — we copy it in during the install phase so
+# the served prefix has everything in one place.
+
+buildNpmPackage {
+  pname = "hyperhive-frontend";
+  version = "0.0.0";
+  src = ../frontend;
+
+  # Computed from `frontend/package-lock.json`. The build will fail
+  # with the actual hash printed on the first attempt; update this
+  # whenever package-lock.json changes. Use
+  #   nix run nixpkgs#prefetch-npm-deps -- frontend/package-lock.json
+  # locally to recompute without a build round-trip.
+  npmDepsHash = lib.fakeHash;
+
+  # `npm run build` recurses into all workspaces (`--workspaces
+  # --if-present`). The workspaces' build scripts each run their own
+  # `build.mjs` (esbuild).
+  npmBuildScript = "build";
+
+  # buildNpmPackage's default install phase copies the working dir into
+  # $out, which is overkill — we only want the dist trees. Hand-roll
+  # the install to keep $out tight.
+  dontNpmInstall = true;
+  installPhase = ''
+    runHook preInstall
+    mkdir -p $out/dashboard $out/agent
+    cp -r packages/dashboard/dist/. $out/dashboard/
+    cp -r packages/agent/dist/. $out/agent/
+    cp ${branding-svg} $out/dashboard/favicon.svg
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "Bundled browser-facing assets for the hyperhive dashboard and per-agent UI";
+    homepage = "https://git.berlin.ccc.de/vinzenz/hyperhive";
+  };
+}