dashboard: truth pass — strip stubbed surfaces, ship reality (#30)

This is the dashboard-side rollup of a multi-agent retro session that
addressed user-flagged "the dashboard is a mock" symptoms across every
page. Aggregates the wave 1-3 work + Playwright visual retro findings
(/tmp/dashboard-retro/) into a single shippable PR for instanode.dev/app.

Headline fixes by surface:

  • /app/deployments
    - listStacks no longer falls back to FIXTURE_STACKS on error.
      The page renders an honest "No deployments yet" empty state
      instead of fake "flashcards · prod · 14:42:01" rows the user
      doesn't own. (This is the bug Manas pointed at in the live URL.)
    - Filter chips with hardcoded counts removed. PromptPill removed.

  • /app/deployments/:id
    - EnvVars + Bound Resources tabs no longer hardcode DATABASE_URL /
      STRIPE_SECRET_KEY / OPENAI_API_KEY / flashcards-db. Honest empty
      states explaining the Phase-1 endpoints they wait on.
    - SideKv runtime sidebar (marcus · 12m · a31fc8de · 142 MB · …)
      replaced with real DashboardStack fields only.

  • /app/billing
    - Usage panel: hardcoded 47/500, 163/256, 1.64/2GB etc. replaced
      with per-type aggregates computed from listResources().
    - AppShell sidebar upgrade card: "9 days to renewal · auto-charges
      May 19" replaced with real billing.next_renewal_at + payment_*.
    - Card expiry 9/27 fixture leak removed. Invoice status pill renders
      i.status (not the deploy-status "running"). Update button →
      mailto:support.
    - Cancel removed → mailto:support per the no-self-serve-cancel
      memory rule.

  • /app/team
    - Dead revoke button + member kebab gone. Replaced with PromptCards
      (DELETE /api/v1/team/invitations/{id},
       DELETE /api/v1/team/members/{user_id}).
    - "Pro tier · 5 team seats" hardcoded → tier-aware from
      ctx.me.team.tier via seatLimitByTier map matching plans.yaml.

  • /app/vault
    - rotated_at no longer fabricated at parse time. Row meta chip
      conditionally renders only when value is real.

  • /app/resources
    - Env filter chips removed (backend doesn't filter by env; chip was
      a lie). EnvPill column kept (resources.env is a real column).
    - PromptCards for provision + deploy with tier-aware prompts.

  • /app/overview
    - Quick-prompts replaced 3 decorative <a> tags with real <button>
      elements that copy tier-interpolated prompts via
      navigator.clipboard.writeText. "copied ✓" flash for 1.5s.
    - "⌘K to send" chip → "copy → paste in agent" (no keyboard handler
      ever existed for ⌘K).

  • /app/agent
    - Page deleted entirely. The static prompt-library with 21 dead
      "copy ↗" buttons + the "claude-code · connected" fake footer
      contradicted the no-AI-in-UI memory rule. The contextual
      PromptCards on each page cover the use case better with real
      resource data interpolated.

  • /app/settings
    - Revoke PAT button → PromptCard. PAT creation kept clickable
      (bootstrap path — agent can't mint its own first credential).

  • /claim
    - "free trial resources expire" copy → "free-tier resources expire
      after 24h unless you subscribe" matching no-trial policy.
    - Post-submit screen redesigned as payment funnel: 24h countdown +
      "Keep my resources $9/mo" CTA → createCheckout('hobby') → Razorpay.
    - 18 new tests in ClaimPage.test.tsx.

  • AppShell chrome
    - Hardcoded "acme-corp" breadcrumb → ctx.me.team.name.
    - "Ask agent" topbar button + ⌘K NavRow badge removed.
    - ROBanner "✦ ⌘K · ask agent" decorative anchor removed.

  • PricingPage
    - "Multi-env workflows" advertised as Pro tier (shipped via the
      api-side env promotion endpoints landing in a separate PR).

  • Expiry warning UI
    - ExpiryBadge + ExpiryWarningBanner + useExpiryTick in Common.tsx.
    - AppShell-level red banner above page body when any resource is
      <6h from expiry. Per-row badge on ResourcesPage with pulse when
      urgent. Header badge + Time-Remaining card on ResourceDetailPage.
    - 41 new tests across OverviewPage + ResourcesPage.

  • Tier model
    - 'free' tier added as a distinct real tier alongside 'anonymous'
      (same limits, different audience per the keep-both-tiers
      decision). TierPill renders both with distinct styles.

  • Test infrastructure
    - 7 test files now (was 3). 162 passing, 3 pre-existing skips.
    - New: Common.test.tsx (5), ClaimPage.test.tsx (18),
      OverviewPage.test.tsx (29), ResourcesPage.test.tsx (12).

Known follow-ups (deliberately deferred):
  • §10.21 FIXTURE_* removal — most fixture fallbacks (vault, billing
    503, activity, getStack/getStackLogs) still use stub fallback on
    error. Each removal requires a per-page UX decision (empty state
    vs error banner) cleaner in a focused follow-up. Tracked in
    RETRO-2026-05-12.md §10.21.
  • §10.20 Server-side /billing/usage + /team/summary with Redis cache
    + singleflight + Cache-Control headers per the new caching memory
    rule. The BillingPage Usage panel is currently client-side
    aggregation — works but doesn't honor the eventual-consistent
    caching policy. Tracked in §10.20.
  • §10.10 Single copyToClipboard() helper with execCommand fallback
    for HTTP/Safari. The wave-4 agent that started this was stopped
    mid-flight; the Common.tsx changes (5 new tests) made it in. The
    per-page swap to use the helper is the follow-up.

Test gate:
  - npx tsc --noEmit: 0
  - npm test -- --run: 162 passed, 3 skipped, 0 failed (7 test files)

Reference: /Users/manassrivastava/Documents/InstaNode/RETRO-2026-05-12.md
contains the full session retro including §10.X agent-dispatchable specs.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

README.md

@@ -20,9 +20,11 @@ npm install
 npm run dev      # Vite dev server at http://localhost:5173
 ```
 
-To point the dev proxy at a local k8s cluster:
+To point the dev proxy at a local k8s cluster (the Service is ClusterIP — NodePort
+retired 2026-05-11 — so port-forward `svc/instant-api` first):
 ```bash
-AGENT_API_URL=http://localhost:30080 npm run dev
+kubectl port-forward -n instant svc/instant-api 8080:8080 &
+AGENT_API_URL=http://localhost:8080 npm run dev
 ```
 
 To run unit tests:
@@ -87,8 +89,10 @@ http://localhost:5173/claim?t=<jwt>
 107 tests covering auth guards, the upgrade journey, and resource interactions.
 
 ```bash
-# Requires: Vite dev server running (npm run dev) + agent API at localhost:30080
-E2E_API_URL=http://localhost:30080 npx playwright test --project=chromium
+# Requires: Vite dev server running (npm run dev) + agent API port-forwarded
+# (Service is ClusterIP; NodePort retired):
+#   kubectl port-forward -n instant svc/instant-api 8080:8080
+E2E_API_URL=http://localhost:8080 npx playwright test --project=chromium
 
 # Run a single spec
 npx playwright test e2e/auth-guards.spec.ts --project=chromium
@@ -108,7 +112,7 @@ npx playwright test --headed --project=chromium
 | `AGENT_API_URL` | Upstream the Vite dev proxy points at | `http://api.instanode.dev` |
 | `VITE_API_URL` | Build-time override for the production bundle | `https://api.instanode.dev` |
 | `VITE_NO_PROXY` | Disables Vite proxy (set to `1` in E2E) | unset |
-| `E2E_API_URL` | Agent API base URL used by Playwright tests | `http://localhost:30080` |
+| `E2E_API_URL` | Agent API base URL used by Playwright tests (port-forward `svc/instant-api` first) | `http://localhost:8080` |
 
 ---
 

scripts/retro.mjs

@@ -0,0 +1,198 @@
+// Standalone retro script — uses Playwright lib directly (no test runner).
+// Captures screenshots + DOM evidence for every dashboard route.
+import { chromium } from 'playwright'
+import fs from 'fs'
+
+const OUT = '/tmp/dashboard-retro'
+const BASE = 'http://localhost:5173'
+
+const FAKE_TEAM = '00000000-1111-2222-3333-444444444444'
+const FAKE_USER = 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee'
+const FAKE_RESOURCES = [
+  { id: '11111111-aaaa-bbbb-cccc-000000000001', token: '11111111-aaaa-bbbb-cccc-000000000001',
+    resource_type: 'postgres', name: 'flashcards-db', env: 'production', tier: 'hobby',
+    status: 'active', storage_bytes: 47_500_000, storage_limit_bytes: 500_000_000,
+    storage_exceeded: false, connections_in_use: 2, connections_limit: 5,
+    created_at: '2026-04-22T18:42:11Z', team_id: FAKE_TEAM, expires_at: null },
+  { id: '22222222-aaaa-bbbb-cccc-000000000002', token: '22222222-aaaa-bbbb-cccc-000000000002',
+    resource_type: 'redis', name: 'flashcards-cache', env: 'production', tier: 'hobby',
+    status: 'active', storage_bytes: 1_200_000, storage_limit_bytes: 25_000_000,
+    storage_exceeded: false, connections_in_use: 1, connections_limit: 5,
+    created_at: '2026-04-22T18:42:25Z', team_id: FAKE_TEAM, expires_at: null },
+]
+
+function json(body) {
+  return { status: 200, contentType: 'application/json', body: JSON.stringify(body) }
+}
+
+async function installFakes(page) {
+  await page.route('**/auth/me', (r) => r.fulfill(json({
+    ok: true, user_id: FAKE_USER, team_id: FAKE_TEAM,
+    email: 'aanya@example.com', tier: 'hobby', trial_ends_at: null,
+  })))
+  await page.route('**/api/v1/resources', (r) => {
+    if (r.request().method() === 'GET') {
+      return r.fulfill(json({ ok: true, items: FAKE_RESOURCES, total: FAKE_RESOURCES.length }))
+    }
+    return r.continue()
+  })
+  for (const res of FAKE_RESOURCES) {
+    await page.route(`**/api/v1/resources/${res.token}`, (r) =>
+      r.fulfill(json({ ok: true, item: res })))
+    await page.route(`**/api/v1/resources/${res.token}/credentials`, (r) =>
+      r.fulfill(json({ ok: true, id: res.id, token: res.token,
+        resource_type: res.resource_type, env: res.env,
+        connection_url: res.resource_type === 'postgres'
+          ? 'postgres://usr:pw@pg.instanode.dev:5432/db'
+          : 'redis://usr:pw@redis.instanode.dev:6379/0' })))
+  }
+  await page.route('**/api/v1/vault/production', (r) => r.fulfill(json({ ok: true, keys: ['RAZORPAY_KEY_SECRET','OPENAI_API_KEY'] })))
+  await page.route('**/api/v1/vault/staging', (r) => r.fulfill(json({ ok: true, keys: [] })))
+  await page.route('**/api/v1/vault/development', (r) => r.fulfill(json({ ok: true, keys: [] })))
+  await page.route('**/api/v1/auth/api-keys', (r) => {
+    if (r.request().method() === 'GET') {
+      return r.fulfill(json({ ok: true, items: [
+        { id: 'k1111111-1111-1111-1111-111111111111', name: 'laptop',
+          scopes: ['read','write'], created_at: '2026-05-01T10:00:00Z',
+          last_used_at: '2026-05-09T18:00:00Z', revoked: false }
+      ]}))
+    }
+    return r.continue()
+  })
+  await page.route('**/api/v1/stacks', (r) => r.fulfill(json({
+    ok: true, items: [
+      { id: 'stk_flashcards', slug: 'flashcards', name: 'flashcards',
+        status: 'running', env: 'production', tier: 'hobby',
+        url: 'https://flashcards.deployment.instanode.dev',
+        last_deploy_at: new Date(Date.now() - 12*60_000).toISOString(),
+        build_duration_s: 38, created_at: new Date(Date.now() - 86400_000).toISOString() },
+      { id: 'stk_worker', slug: 'worker', name: 'worker',
+        status: 'building', env: 'production', tier: 'hobby',
+        url: null, last_deploy_at: new Date(Date.now() - 5*60_000).toISOString(),
+        build_duration_s: 14, created_at: new Date(Date.now() - 2*86400_000).toISOString() },
+    ], total: 2,
+  })))
+  await page.route('**/api/v1/team/members', (r) => r.fulfill(json({
+    ok: true, members: [
+      { id: 'u1', email: 'aanya@example.com', role: 'owner', display_name: 'Aanya', created_at: new Date().toISOString() }
+    ]
+  })))
+  await page.route('**/api/v1/team/invitations', (r) => r.fulfill(json({ ok: true, invitations: [] })))
+  await page.route('**/api/v1/billing', (r) => r.fulfill(json({
+    ok: true, billing: {
+      tier: 'hobby', payment_network: 'visa', payment_last4: '4242',
+      payment_exp_month: 12, payment_exp_year: 2028,
+      current_period_end: new Date(Date.now() + 9*86400_000).toISOString()
+    }
+  })))
+  await page.route('**/api/v1/billing/invoices', (r) => r.fulfill(json({ ok: true, invoices: [] })))
+  await page.route('**/api/v1/activity', (r) => r.fulfill(json({ ok: true, items: [] })))
+}
+
+async function audit(page, route, slug) {
+  const screenshot = `${OUT}/${slug}.png`
+  try { await page.screenshot({ path: screenshot, fullPage: true, timeout: 10000 }) }
+  catch (e) { console.log(`  screenshot fail: ${e.message}`) }
+
+  const buttons = await page.$$eval('button', (btns) =>
+    btns.filter(b => !b.hasAttribute('onclick') && b.getAttribute('type') !== 'submit')
+        .map(b => (b.getAttribute('aria-label') || b.textContent || '').trim())
+        .filter(Boolean)
+  ).catch(() => [])
+  const anchorsNoHref = await page.$$eval('a:not([href])', (as) =>
+    as.map(a => (a.getAttribute('aria-label') || a.textContent || '').trim()).filter(Boolean)
+  ).catch(() => [])
+
+  const text = await page.locator('body').innerText().catch(() => '')
+  const count = (re) => (text.match(re) || []).length
+  const shortcuts = {
+    kbk: count(/⌘K/g),
+    kbslash: count(/⌘\//g),
+    sparkle: count(/✦/g),
+    askAgent: count(/ask agent/gi),
+  }
+  const hard = {
+    acme: count(/acme-corp|acme\.dev|acme\.com/gi),
+    aanya: count(/aanya|kavya@|marcus/gi),
+    flashcards: count(/flashcards|render-queue|events-store|cache-sessions/g),
+    fixtures: count(/d_xY9z2k7m|r_5tYn2k|m_2a8f10|q_cb091f|a31fc8de/g),
+    renewal: count(/9 days to renewal|auto-charges|May 19/g),
+    comingSoon: count(/coming soon|mocked|stubbed/gi),
+  }
+  const placeholders = (text.match(/\b(TODO|WIP|CHANGE_ME|FIXME|XXX|mocked|stubbed|FIXTURE)\b/g) || [])
+  const h1 = (await page.locator('h1').first().textContent().catch(() => '')) || ''
+
+  console.log(`\n## ${route}`)
+  console.log(`  screenshot: ${screenshot}`)
+  console.log(`  H1: ${h1.trim().slice(0, 80)}`)
+  console.log(`  shortcuts: ⌘K=${shortcuts.kbk} ⌘/=${shortcuts.kbslash} ✦=${shortcuts.sparkle} "ask agent"=${shortcuts.askAgent}`)
+  console.log(`  hardcoded: acme=${hard.acme} aanya/kavya/marcus=${hard.aanya} fixtures=${hard.flashcards} fixture-IDs=${hard.fixtures} renewal=${hard.renewal} comingSoon=${hard.comingSoon}`)
+  console.log(`  placeholders: ${placeholders.join(', ') || '—'}`)
+  console.log(`  buttons-no-onclick: ${buttons.length}`)
+  if (buttons.length) console.log(`    sample: ${buttons.slice(0, 12).map(s => s.replace(/\s+/g,' ').slice(0,40)).join(' | ')}`)
+  console.log(`  anchors-no-href: ${anchorsNoHref.length}`)
+  if (anchorsNoHref.length) console.log(`    sample: ${anchorsNoHref.slice(0, 8).map(s => s.replace(/\s+/g,' ').slice(0,40)).join(' | ')}`)
+
+  return { route, screenshot, h1: h1.trim(), shortcuts, hardcoded: hard, placeholders, buttonsNoHandler: buttons, anchorsNoHref }
+}
+
+async function main() {
+  fs.mkdirSync(OUT, { recursive: true })
+  const browser = await chromium.launch()
+  const ctx = await browser.newContext({ viewport: { width: 1440, height: 900 } })
+  await ctx.addInitScript(() => { localStorage.setItem('instanode.token', 'ink_FAKE_RETRO') })
+  const page = await ctx.newPage()
+  await installFakes(page)
+
+  const routes = [
+    ['/', 'marketing'],
+    ['/pricing', 'pricing'],
+    ['/for-agents', 'for-agents'],
+    ['/docs', 'docs'],
+    ['/blog', 'blog'],
+    ['/status', 'status'],
+    ['/use-cases', 'use-cases'],
+    ['/login', 'login'],
+    ['/claim?t=eyJhbGciOiJIUzI1NiJ9.fake.fake', 'claim'],
+    // Re-arm the token (claim flow may clear it), then enter /app.
+    ['__reset__', null],
+    ['/app', 'app-overview'],
+    ['/app/resources', 'app-resources'],
+    [`/app/resources/${FAKE_RESOURCES[0].id}`, 'app-resource-detail'],
+    ['/app/deployments', 'app-deployments'],
+    ['/app/deployments/stk_flashcards', 'app-deployment-detail'],
+    ['/app/billing', 'app-billing'],
+    ['/app/team', 'app-team'],
+    ['/app/vault', 'app-vault'],
+    ['/app/settings', 'app-settings'],
+    ['/app/stacks', 'app-stacks'],
+    ['/app/agent', 'app-agent'],
+    ['/app/contracts', 'app-contracts'],
+  ]
+  const results = []
+  for (const [route, slug] of routes) {
+    if (route === '__reset__') continue
+    try {
+      const isApp = route.startsWith('/app')
+      await page.goto(BASE + route, { waitUntil: 'domcontentloaded', timeout: 15000 })
+      if (isApp) {
+        // After AuthGate runs once with no token (synchronously), re-seed and reload.
+        const onLogin = await page.locator('h1').first().textContent().catch(() => '')
+        if ((onLogin || '').includes('Sign in')) {
+          await page.evaluate(() => localStorage.setItem('instanode.token', 'ink_FAKE_RETRO'))
+          await page.goto(BASE + route, { waitUntil: 'domcontentloaded', timeout: 15000 })
+        }
+      }
+      await page.waitForTimeout(900)
+      results.push(await audit(page, route, slug))
+    } catch (e) {
+      console.log(`FAIL ${route}: ${e.message}`)
+    }
+  }
+  fs.writeFileSync(`${OUT}/audit.json`, JSON.stringify(results, null, 2))
+  await ctx.close()
+  await browser.close()
+  console.log(`\nDONE — ${results.length} routes audited`)
+}
+
+main().catch((e) => { console.error(e); process.exit(1) })

src/App.tsx

@@ -93,9 +93,6 @@ const BillingPage = lazy(() =>
 const SettingsPage = lazy(() =>
   import('./pages/SettingsPage').then((m) => ({ default: m.SettingsPage })),
 )
-const AgentPage = lazy(() =>
-  import('./pages/AgentPage').then((m) => ({ default: m.AgentPage })),
-)
 const ContractsPage = lazy(() =>
   import('./pages/ContractsPage').then((m) => ({ default: m.ContractsPage })),
 )
@@ -199,7 +196,6 @@ export function AppRoutes() {
           <Route path="team" element={<TeamPage />} />
           <Route path="billing" element={<BillingPage />} />
           <Route path="settings" element={<SettingsPage />} />
-          <Route path="agent" element={<AgentPage />} />
           <Route path="contracts" element={<ContractsPage />} />
         </Route>
 

src/api/index.test.ts

@@ -497,15 +497,14 @@ describe('fetchMe()', () => {
     window.history.pushState({}, '', '/')
   })
 
-  it('falls back to FIXTURE shapes on a 500', async () => {
-    const m = installFetch()
-    m.mockResolvedValueOnce(jsonResponse(
-      { error: 'boom' },
-      { status: 500 },
-    ))
-    const r = await fetchMe()
-    // fixture user id is u_aanya — proves we hit the fallback.
-    expect(r.user.id).toBe('u_aanya')
+  it('propagates errors on 5xx instead of silently serving a fixture identity (§10.21.1)', async () => {
+    // Previously fetchMe() fell back to FIXTURE_USER on 500 so the chrome
+    // silently rendered "acme-corp / aanya@acme.dev" mock data when the
+    // backend was down. Removed — errors propagate; useDashboardCtx
+    // records meErr and chrome shows the workspace placeholder.
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({ error: 'boom' }, { status: 500 }))
+    await expect(fetchMe()).rejects.toBeDefined()
   })
 })