fix(dashboard): wave-4 P2s — unlimited bars, deploy count, conn tile, changelog (#94)

- UsageBar: treat limit < 0 as "unlimited" (∞ label, neutral bar) instead
  of rendering a literal "-1"; call sites pass raw -1 and drop the per-call
  workaround.
- OverviewPage + useDashboardCtx: source the deployments count from
  GET /api/v1/deployments (api.listDeployments) — deployments are a separate
  table, never resource_type==='deploy' rows in /api/v1/resources, so the old
  filter was always 0.
- OverviewPage connections tile: drop the connections_in_use numerator the
  API never emits; show the aggregate per-tier connection ceiling and skip
  -1 (unlimited) when summing so it can't corrupt the denominator.
- ChangelogPage: add factual entries for 2026-05-15 (Pro storage bump +
  annual pricing), 2026-05-16 (tier enforcement + billing resilience), and
  2026-05-17 (P0/P1 bug-hunt fixes).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

- public/llms.txt (synced copy): same upgrade_url->upgrade + pgvector fixes
  applied to content/llms.txt (manual sync per CLAUDE.md).

Author: mastermanas805

public/llms.txt

@@ -14,7 +14,7 @@ On a prompt like that, the agent should: `POST /db/new` for Postgres, write the
 
 ## API endpoints
 
-All accept `POST` against `https://api.instanode.dev`. No authentication header required for the anonymous tier, but every request body **must** include `name` (see below). Response shape: `{ok, token, connection_url, internal_url, tier, limits, note, upgrade_jwt, upgrade_url}` for db/cache/nosql/queue — where `upgrade_url` is the human-readable claim link (e.g. `https://instanode.dev/start?t=<jwt>`) and `upgrade_jwt` is the raw JWT for programmatic use. `/webhook/new` returns `receive_url` (no internal_url). `/storage/new` adds `endpoint`, `access_key_id`, `secret_access_key`, `prefix` alongside `connection_url`.
+All accept `POST` against `https://api.instanode.dev`. No authentication header required for the anonymous tier, but every request body **must** include `name` (see below). Response shape: `{ok, token, connection_url, internal_url, tier, limits, note, upgrade_jwt, upgrade}` for db/cache/nosql/queue — where `upgrade` is the human-readable claim link (e.g. `https://api.instanode.dev/start?t=<jwt>`) and `upgrade_jwt` is the raw JWT for programmatic use. `/webhook/new` returns `receive_url` (no internal_url). `/storage/new` adds `endpoint`, `access_key_id`, `secret_access_key`, `prefix` alongside `connection_url`.
 
 ### Required `name` field (all provisioning endpoints)
 
@@ -28,7 +28,7 @@ Every provisioning endpoint — `/db/new`, `/cache/new`, `/nosql/new`, `/queue/n
 
 Pick a descriptive name per resource (e.g. `"prod-db"`, `"sessions-cache"`, `"events-queue"`) so the user can tell resources apart later.
 
-- **`POST /db/new`** — Postgres database. Requires `name`. `pgvector` pre-installed (HNSW + IVFFlat indexes work). Returns `connection_url` in the form `postgres://USER:PASS@HOST:PORT/DB`. Use any standard Postgres client / driver.
+- **`POST /db/new`** — Postgres database. Requires `name`. Returns `connection_url` in the form `postgres://USER:PASS@HOST:PORT/DB`. Use any standard Postgres client / driver. (For pgvector / HNSW + IVFFlat similarity search, use the separate `POST /vector/new` endpoint.)
 - **`POST /cache/new`** — Redis. Requires `name`. Per-token ACL'd user + namespaced keyspace. Returns `connection_url` in the form `redis://:PASS@HOST:PORT/DB`.
 - **`POST /nosql/new`** — MongoDB. Requires `name`. Per-token user scoped to a single database. Returns a `mongodb://...` connection URL. The per-token connection budget is documented in the response `limits.connections` field (e.g. anonymous = 2). The underlying shared-tenant pod admits up to 20 simultaneous connections across all tokens, so plan agents to stay well below their per-token allocation under burst.
 - **`POST /queue/new`** — NATS JetStream. Requires `name`. Returns `connection_url` (`nats://pool-<uuid>@host:4222`) with per-account subject isolation baked into the URL. No separate creds file — pass the connection_url directly to any NATS client. Durable streams, request/reply, pub/sub.

src/components/Common.tsx

@@ -324,6 +324,11 @@ export function Sparkline({
 }
 
 // ------------- usage bar -------------
+// The agent API emits `limit = -1` for unlimited (team-tier) quotas. A bare
+// `-1` would render a literal "-1" in the label and a NaN/negative ratio for
+// the bar fill, so `limit < 0` is treated as "unlimited": the fill stays
+// neutral (no usage ratio is meaningful against an unbounded limit) and the
+// label shows the used value against an ∞ symbol.
 export function UsageBar({
   used,
   limit,
@@ -333,7 +338,8 @@ export function UsageBar({
   limit: number
   format?: (used: string, limit: string) => string
 }) {
-  const ratio = limit > 0 ? Math.min(used / limit, 1) : 0
+  const unlimited = limit < 0
+  const ratio = !unlimited && limit > 0 ? Math.min(used / limit, 1) : 0
   const cls = ratio > 0.95 ? 'fill danger' : ratio > 0.8 ? 'fill warn' : 'fill'
   const fmt = (n: number) => {
     if (n >= 1_000_000_000) return `${(n / 1_000_000_000).toFixed(1)} GB`
@@ -346,7 +352,7 @@ export function UsageBar({
       <span className="bar">
         <span className={cls} style={{ width: `${ratio * 100}%` }} />
       </span>
-      <span className="num">{format(fmt(used), fmt(limit))}</span>
+      <span className="num">{format(fmt(used), unlimited ? '∞' : fmt(limit))}</span>
     </div>
   )
 }

src/hooks/useDashboardCtx.ts

@@ -113,9 +113,14 @@ async function refreshMe() {
 
 async function refreshCounts() {
   try {
-    const [r, v] = await Promise.all([
+    // Deployments live in their own table (GET /api/v1/deployments) — they
+    // are NOT rows in the `resources` list (resource_type === 'deploy' never
+    // appears there), so the sidebar deployments count must be sourced from
+    // api.listDeployments(), not a filter over `resources`.
+    const [r, v, d] = await Promise.all([
       api.listResources().catch(() => ({ items: [], total: 0 })),
       api.listVault(state.env).catch(() => ({ entries: [] })),
+      api.listDeployments(state.env).catch(() => ({ ok: true as const, items: [], total: 0 })),
     ])
     // Merge envs from resources too — surfaces real env names.
     const fromAPI = new Set(state.envs)
@@ -130,7 +135,7 @@ async function refreshCounts() {
       resources: items,
       counts: {
         resources: filtered.length,
-        deployments: filtered.filter((x) => x.resource_type === 'deploy').length,
+        deployments: ((d as any).items ?? []).length,
         vault: ((v as any).entries ?? []).length,
         team: 1, // no /team/members endpoint; placeholder
       },

src/pages/ChangelogPage.tsx

@@ -37,6 +37,37 @@ interface ChangelogEntry {
  * each bullet single-line, no marketing fluff — the audience is a
  * procurement reviewer or an on-call engineer checking what changed. */
 const ENTRIES: ChangelogEntry[] = [
+  {
+    date: '2026-05-17',
+    title: 'Bug-hunt remediation — P0/P1 fixes',
+    bullets: [
+      'Hardened POST /claim against account-takeover: a claim now requires the session it claims into and no longer mints a token for a pre-existing email.',
+      'Large deploy tarballs are read in full (io.ReadAll) — fixed a truncation bug where big multipart uploads built on a partly-zero buffer.',
+      'Redeploys now re-resolve vault:// env references, so vault-backed apps no longer break on redeploy.',
+      'Customer-deploy NetworkPolicy egress now covers the production DOKS pod/service CIDRs (was hardcoded to the dev cluster ranges).',
+    ],
+  },
+  {
+    date: '2026-05-16',
+    title: 'Tier enforcement + billing resilience',
+    bullets: [
+      'Provisioning responses now redact secret-bearing env values (credential URLs, *_KEY/_SECRET/_TOKEN keys); the dashboard masks them behind a reveal toggle.',
+      'Storage-quota enforcement now does a real provisioner-side revoke (Postgres REVOKE CONNECT, Redis ACL disable, Mongo role revoke) with auto-unsuspend when usage drops.',
+      'Plan upgrades now elevate deployments and stacks alongside resources and clear their anonymous 24h TTL — a paid app is no longer expired by the lifecycle worker.',
+      'Billing reconciler added: a 15-minute poll against Razorpay closes any missed-webhook gap in either direction.',
+      'Dedicated Redis is capped at provision time with a per-tier maxmemory; the entitlement reconciler re-applies the cap on tier changes.',
+    ],
+  },
+  {
+    date: '2026-05-15',
+    title: 'Pro storage bump + annual pricing',
+    bullets: [
+      'Pro-tier storage raised to 10 GB Postgres / 512 MB Redis / 5 GB MongoDB — a material limits increase across all Pro subscriptions.',
+      'Annual billing added for Hobby, Hobby Plus, Pro, and Team: same limits as the monthly plans, billed yearly at a discount.',
+      'Free, Hobby Plus, and Growth tiers reconciled across the pricing page, billing page, and API documentation so every surface quotes the same numbers.',
+      'Default provisioning environment is now "development" — a call that omits `env` lands in the lowest-stakes bucket instead of merging with production state.',
+    ],
+  },
   {
     date: '2026-05-14',
     title: 'Trust + marketing accuracy pass (W12)',

src/pages/OverviewPage.tier-limit.test.tsx

@@ -24,6 +24,7 @@ vi.mock('../api', async () => {
     ...actual,
     listResources: vi.fn().mockResolvedValue({ ok: true, items: [], total: 0 }),
     fetchActivity: vi.fn().mockResolvedValue({ ok: true, items: [] }),
+    listDeployments: vi.fn().mockResolvedValue({ ok: true, items: [], total: 0 }),
   }
 })
 

src/pages/OverviewPage.tsx

@@ -7,7 +7,7 @@ import {
 import { QuotaWallBanner } from '../components/QuotaWallBanner'
 import { UpgradeButton } from '../components/UpgradeButton'
 import * as api from '../api'
-import type { Resource, ActivityItem } from '../api'
+import type { Resource, ActivityItem, DashboardDeployment } from '../api'
 import { useDashboardCtx } from '../hooks/useDashboardCtx'
 
 // Storage limit per tier in GB, used for the Overview usage chart.
@@ -67,6 +67,10 @@ function stripHtmlTags(s: string | null | undefined): string {
 export function OverviewPage() {
   const [resources, setResources] = useState<Resource[]>([])
   const [activity, setActivity] = useState<ActivityItem[]>([])
+  // Deployments live in their own table served by GET /api/v1/deployments —
+  // they are NOT rows in `resources` (resource_type === 'deploy' never
+  // appears there), so the deployments tile must source them separately.
+  const [deployments, setDeployments] = useState<DashboardDeployment[]>([])
   const [loading, setLoading] = useState(true)
   const [copiedPrompt, setCopiedPrompt] = useState<string | null>(null)
   const ctx = useDashboardCtx()
@@ -135,10 +139,17 @@ export function OverviewPage() {
 
   useEffect(() => {
     let alive = true
-    Promise.all([api.listResources(ctx.env), api.fetchActivity()]).then(([r, a]) => {
+    Promise.all([
+      api.listResources(ctx.env),
+      api.fetchActivity(),
+      // Deployments are a separate table — fail-soft to [] so a deployments
+      // outage doesn't blank the resources/activity tiles.
+      api.listDeployments(ctx.env).catch(() => ({ ok: true as const, items: [], total: 0 })),
+    ]).then(([r, a, d]) => {
       if (!alive) return
       setResources(r.items)
       setActivity(a.items)
+      setDeployments(d.items)
       setLoading(false)
     })
     return () => {
@@ -152,19 +163,27 @@ export function OverviewPage() {
   // FIX-K (2026-05-16): plans.yaml uses binary MiB; use *1024 (was *1000).
   const tierLimitMB = tierLimitGB * 1024
   const storagePct = tierLimitMB > 0 ? Math.round((totalStorageMB / tierLimitMB) * 100) : 0
-  const conn = resources.reduce((s, r) => s + (r.connections_in_use ?? 0), 0)
-  const connLim = resources.reduce((s, r) => s + (r.connections_limit ?? 0), 0)
+  // Connections tile: the API never emits `connections_in_use`, so a numerator
+  // sourced from it is always 0 — show the per-tier connection ceiling only.
+  // `-1` (team/growth unlimited) is excluded from the sum so it can't corrupt
+  // the denominator; if any resource is unlimited the tile reports ∞.
+  const connUnlimited = resources.some((r) => (r.connections_limit ?? 0) < 0)
+  const connLim = resources.reduce(
+    (s, r) => s + ((r.connections_limit ?? 0) > 0 ? (r.connections_limit as number) : 0),
+    0,
+  )
   const recent = [...resources].sort((a, b) => +new Date(b.created_at) - +new Date(a.created_at)).slice(0, 4)
 
   const now = Date.now()
   const newThisWeek = resources.filter((r) => now - +new Date(r.created_at) <= SEVEN_DAYS_MS).length
-  const deploys = resources.filter((r) => r.resource_type === 'deploy')
-  const deployCount = deploys.length
-  const deployHealthy = deploys.filter((r) => r.status === 'active').length
+  // Deployments are a separate table (GET /api/v1/deployments) — never rows in
+  // `resources`. Source the count + health from the dedicated fetch.
+  const deployCount = deployments.length
+  const deployHealthy = deployments.filter((d) => d.status === 'running').length
   const webhookCount = resources.filter((r) => r.resource_type === 'webhook').length
 
   const storageSub = resources.length === 0 ? tier : `${storagePct}% of ${tier} tier`
-  const connSub = connLim === 0 ? '' : `${conn}/${connLim} active`
+  const connSub = connUnlimited ? 'unlimited' : connLim === 0 ? '' : `${connLim} max`
   const deploySub = deployCount === 0 ? 'none yet' : `${deployHealthy}/${deployCount} healthy`
   const vaultSub = vaultCount === 0 ? '' : `scoped to ${env}`
 
@@ -187,7 +206,10 @@ export function OverviewPage() {
             stats/series is live. */}
         <Stat k="resources" v={loading ? '—' : resources.length.toString()} d={newThisWeek === 0 ? '—' : `+${newThisWeek} this week`} series={undefined} />
         <Stat k={`storage / ${tierLimitGB} GB`} v={loading ? '—' : (totalStorageMB / 1000).toFixed(1)} unit="GB" d={storageSub} dCls="dim" series={undefined} />
-        <Stat k={`conn / ${connLim}`} v={loading ? '—' : conn.toString()} d={connSub} dCls="dim" series={undefined} />
+        {/* Connections tile shows the aggregate per-tier connection ceiling.
+            The API does not emit a live in-use count, so a numerator would
+            always read 0 — show the ceiling honestly instead. */}
+        <Stat k="connection limit" v={loading ? '—' : connUnlimited ? '∞' : connLim.toString()} d={connSub} dCls="dim" series={undefined} />
         <Stat k="deployments" v={loading ? '—' : deployCount.toString()} d={deploySub} series={undefined} />
         <Stat k="webhooks · 24h" v={loading ? '—' : webhookCount.toString()} d="" series={undefined} />
         <Stat k="vault entries" v={vaultCount.toString()} d={vaultSub} dCls="dim" series={undefined} />
@@ -242,8 +264,7 @@ export function OverviewPage() {
                 <EnvPill env={r.env} />
                 <UsageBar
                   used={Math.round(r.storage_bytes / 1_000_000)}
-                  limit={r.storage_limit_bytes === -1 ? 0 : Math.round(r.storage_limit_bytes / 1_000_000)}
-                  format={(a, b) => r.storage_limit_bytes === -1 ? `${a} / ∞` : `${a} / ${b}`}
+                  limit={r.storage_limit_bytes < 0 ? -1 : Math.round(r.storage_limit_bytes / 1_000_000)}
                 />
                 <RelTime at={r.created_at} />
                 <button className="res-action" aria-label="actions">⋯</button>

src/pages/ResourcesPage.tsx

@@ -228,8 +228,8 @@ export function ResourcesPage() {
                 <EnvPill env={r.env} />
                 <UsageBar
                   used={Math.round(r.storage_bytes / 1_000_000)}
-                  limit={r.storage_limit_bytes === -1 ? 0 : Math.round(r.storage_limit_bytes / 1_000_000)}
-                  format={(a, b) => r.storage_limit_bytes === -1 ? `${a} / ∞ MB` : `${a} / ${b} MB`}
+                  limit={r.storage_limit_bytes < 0 ? -1 : Math.round(r.storage_limit_bytes / 1_000_000)}
+                  format={(a, b) => `${a} / ${b} MB`}
                 />
                 <span style={{ fontFamily: 'var(--font-mono)', fontSize: 11, color: 'var(--text-dim)' }}>
                   {r.connections_in_use ?? '—'} / {r.connections_limit == null ? '—' : r.connections_limit === -1 ? '∞' : r.connections_limit}