dashboard: private deploys + IP allow-list UI (Track B / Pro+)

Track B for the private-deploy feature. Surfaces an opt-in "Private deploy"
toggle on /app/deployments and renders the privacy state + Pro+ editor on
/app/deployments/:id. Pro/Team/Growth get the live configurator; hobby /
free / anonymous get the feature-specific UpgradePromptCard via the new
`private_deploy` key in upgradeCopy.ts.

- api: createDeploy() + updateDeploymentAccess(); private/allowed_ips on
  DashboardDeployment + adapter. private defaults to false on older API
  builds so the UI never silently inherits stale state. PATCH endpoint is
  Track A's responsibility — a 404 surfaces a friendly "edits pending
  backend" hint instead of a raw error.
- IpAllowList: reusable tag input. Enter / comma / space commits; Backspace
  on empty pops; chips with × removal; loose IPv4 + IPv6 + CIDR regex with
  red-border feedback (server has the real validator); max 32 entries
  matching backend cap.
- DeploymentsPage: PrivateDeployConfigurator (Pro+) builds a precise agent
  prompt mirroring the createDeploy() wire shape — consistent with the
  read-only / agent-driven dashboard pattern.
- DeployDetailPage: header gains a `private` badge; PrivacyPanel section
  on the Overview tab shows public-hint or allowed_ips list; Pro+ edit
  affordance with save / cancel + tier + 404 error handling.
- Tests: 45 new tests across IpAllowList (19), DeploymentsPage tier-gate
  + toggle behaviour (5), DeployDetailPage privacy panel (6), and api
  contract coverage for createDeploy + updateDeploymentAccess (10).
  329/329 pass; 3 pre-existing skips. Build clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

src/api/index.test.ts

@@ -30,6 +30,8 @@ import {
   fetchStackFamily,
   listDeployments,
   getDeployment,
+  createDeploy,
+  updateDeploymentAccess,
   reportExperimentConverted,
   validatePromotion,
 } from './index'
@@ -953,6 +955,173 @@ describe('getDeployment()', () => {
     m.mockResolvedValueOnce(jsonResponse({ error: 'boom' }, { status: 500 }))
     await expect(getDeployment('d1')).rejects.toMatchObject({ status: 500 })
   })
+
+  it('surfaces private + allowed_ips when the API returns them', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({
+      ok: true,
+      item: {
+        id: 'd1', app_id: 'd1', status: 'running', port: 8080, tier: 'pro',
+        env: {}, environment: 'production', created_at: 'x', updated_at: 'x',
+        private: true,
+        allowed_ips: ['8.8.8.8', '10.0.0.0/8'],
+      },
+    }))
+    const r = await getDeployment('d1')
+    expect(r.deployment?.private).toBe(true)
+    expect(r.deployment?.allowed_ips).toEqual(['8.8.8.8', '10.0.0.0/8'])
+  })
+
+  it('defaults private=false and allowed_ips=[] when the API omits both', async () => {
+    // Older Track A builds don't expose the privacy fields. The adapter
+    // must NOT silently inherit `private` from a stale frontend cache —
+    // it should normalise to false.
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({
+      ok: true,
+      item: {
+        id: 'd1', app_id: 'd1', status: 'running', port: 8080, tier: 'pro',
+        env: {}, environment: 'production', created_at: 'x', updated_at: 'x',
+      },
+    }))
+    const r = await getDeployment('d1')
+    expect(r.deployment?.private).toBe(false)
+    expect(r.deployment?.allowed_ips).toEqual([])
+  })
+})
+
+// ─── createDeploy() — POST /deploy/new with private + allowed_ips ────────
+// The dashboard's createDeploy helper is the wire-shape source of truth
+// for the private-deploy fields. The agent prompt on DeploymentsPage
+// renders these same keys, so a contract drift here would silently leak
+// into the prompt copy. We lock the field names + path explicitly.
+describe('createDeploy()', () => {
+  it('POSTs to /deploy/new with private + allowed_ips in the body', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({
+      ok: true,
+      item: {
+        id: 'd1', app_id: 'd1', status: 'building', port: 8080, tier: 'pro',
+        env: { FOO: 'bar' }, environment: 'production',
+        created_at: 'x', updated_at: 'x',
+        private: true, allowed_ips: ['8.8.8.8'],
+      },
+    }))
+    const r = await createDeploy({
+      name: 'my-app',
+      port: 8080,
+      env: 'production',
+      env_vars: { FOO: 'bar' },
+      private: true,
+      allowed_ips: ['8.8.8.8'],
+    })
+    expect(r.ok).toBe(true)
+    expect(r.deployment.private).toBe(true)
+    expect(r.deployment.allowed_ips).toEqual(['8.8.8.8'])
+
+    const [url, init] = m.mock.calls[0]
+    expect(String(url)).toContain('/deploy/new')
+    expect(init?.method).toBe('POST')
+    const sent = JSON.parse(String(init!.body))
+    expect(sent.private).toBe(true)
+    expect(sent.allowed_ips).toEqual(['8.8.8.8'])
+    // env_vars rides under the server's legacy `env` alias; the env scope
+    // goes in `environment`.
+    expect(sent.env).toEqual({ FOO: 'bar' })
+    expect(sent.environment).toBe('production')
+  })
+
+  it('omits private + allowed_ips when caller does not pass them (public deploy)', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({
+      ok: true,
+      item: {
+        id: 'd1', app_id: 'd1', status: 'building', port: 8080, tier: 'free',
+        env: {}, environment: 'production',
+        created_at: 'x', updated_at: 'x',
+      },
+    }))
+    await createDeploy({ name: 'my-app', port: 8080, env: 'production' })
+    const sent = JSON.parse(String(m.mock.calls[0][1]!.body))
+    expect(sent).not.toHaveProperty('private')
+    expect(sent).not.toHaveProperty('allowed_ips')
+  })
+
+  it('propagates 402 (tier gate) so the page can render an upgrade prompt', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse(
+      { error: 'upgrade_required', agent_action: 'upgrade_to_pro' },
+      { status: 402 },
+    ))
+    await expect(
+      createDeploy({ private: true, allowed_ips: ['8.8.8.8'] }),
+    ).rejects.toMatchObject({ status: 402 })
+  })
+
+  it('propagates 400 (validation_error) so the page can show inline IP errors', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse(
+      { error: 'validation_error', message: 'allowed_ips empty when private=true' },
+      { status: 400 },
+    ))
+    await expect(
+      createDeploy({ private: true, allowed_ips: [] }),
+    ).rejects.toMatchObject({ status: 400 })
+  })
+})
+
+// ─── updateDeploymentAccess() — PATCH /api/v1/deployments/:id ────────────
+// Track A's PATCH endpoint is still in flight. The dashboard helper still
+// issues the request — a 404 means "endpoint not yet shipped" and the
+// caller (PrivacyPanel on DeployDetailPage) surfaces a friendly hint.
+describe('updateDeploymentAccess()', () => {
+  it('PATCHes /api/v1/deployments/:id with private + allowed_ips', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({
+      ok: true,
+      item: {
+        id: 'd1', app_id: 'd1', status: 'running', port: 8080, tier: 'pro',
+        env: {}, environment: 'production',
+        created_at: 'x', updated_at: 'y',
+        private: true, allowed_ips: ['1.1.1.1'],
+      },
+    }))
+    const r = await updateDeploymentAccess('d1', true, ['1.1.1.1'])
+    expect(r.deployment.private).toBe(true)
+    expect(r.deployment.allowed_ips).toEqual(['1.1.1.1'])
+    const [url, init] = m.mock.calls[0]
+    expect(String(url)).toContain('/api/v1/deployments/d1')
+    expect(init?.method).toBe('PATCH')
+    const sent = JSON.parse(String(init!.body))
+    expect(sent).toEqual({ private: true, allowed_ips: ['1.1.1.1'] })
+  })
+
+  it('URI-encodes the deployment id', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({
+      ok: true,
+      item: { id: 'd weird', app_id: 'd', status: 'running', port: 1, tier: 'pro', env: {}, environment: 'production', created_at: 'x', updated_at: 'y' },
+    }))
+    await updateDeploymentAccess('d weird', false, [])
+    expect(String(m.mock.calls[0][0])).toContain('/api/v1/deployments/d%20weird')
+  })
+
+  it('propagates 404 so the page can surface "edits pending backend"', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse({ error: 'not_found' }, { status: 404 }))
+    await expect(updateDeploymentAccess('d1', true, ['8.8.8.8']))
+      .rejects.toMatchObject({ status: 404 })
+  })
+
+  it('propagates 402 (tier gate)', async () => {
+    const m = installFetch()
+    m.mockResolvedValueOnce(jsonResponse(
+      { error: 'upgrade_required', agent_action: 'upgrade_to_pro' },
+      { status: 402 },
+    ))
+    await expect(updateDeploymentAccess('d1', true, ['8.8.8.8']))
+      .rejects.toMatchObject({ status: 402 })
+  })
 })
 
 // ─── fetchStackFamily() — Pro+ env grid loader ───────────────────────────

src/api/index.ts

@@ -434,6 +434,12 @@ type DeploymentRespItem = {
   build_duration_s?: number
   resource_id?: string
   name?: string
+  // Track B (private deploys): server flags + IP allow-list. Older API
+  // builds omit these fields entirely — the adapter treats them as
+  // `private=false` and `allowed_ips=[]` so the dashboard never lies about
+  // privacy state when the backend hasn't shipped yet.
+  private?: boolean
+  allowed_ips?: string[]
 }
 
 type DeploymentsListResp = {
@@ -489,6 +495,11 @@ function adaptDeployment(d: DeploymentRespItem): DashboardDeployment {
     last_deploy_at: d.last_deploy_at ?? d.updated_at,
     build_duration_s: d.build_duration_s,
     resource_id: d.resource_id,
+    // Private-deploy fields (Track B). Older API builds omit them; we
+    // surface false / [] so the UI never silently inherits "private"
+    // state from a stale payload.
+    private: d.private ?? false,
+    allowed_ips: d.allowed_ips ?? [],
   }
 }
 
@@ -521,6 +532,102 @@ export async function getDeployment(
   }
 }
 
+// ─── createDeploy — POST /deploy/new (Track B private-deploy fields) ─────
+//
+// The dashboard doesn't usually drive deploys itself (the read-only model
+// favours agent-driven mutations via PromptCard), but the createDeploy
+// helper exists so:
+//   1. The "Configure private access" panel on DeploymentsPage can build a
+//      precise agent prompt that mirrors the request shape the helper
+//      would send (single source of truth for the field names).
+//   2. Future agentic flows in the dashboard (e.g. one-click redeploy with
+//      a privacy patch) can call this without re-implementing the contract.
+//
+// Body shape — accepted by the Track A backend:
+//   - tarball is uploaded multipart; the dashboard doesn't have file-upload
+//     UI yet, so this helper takes the metadata and trusts the caller to
+//     attach a tarball via FormData if needed (omit for prompts-only flow).
+//   - env_vars is sent as `env` (server's legacy alias) for symmetry with
+//     the response adapter above.
+//   - `private` (bool) + `allowed_ips` (string[]) are the Track B fields
+//     this Track B PR introduces. Backend returns 402 with agent_action on
+//     hobby/free/anonymous, 400 with `validation_error` on empty
+//     allowed_ips when private=true, or invalid IPs/CIDRs.
+//
+// Errors propagate (APIError with status + code); the caller decides
+// whether to surface them inline or fall back to the prompt-only path.
+export interface CreateDeployInput {
+  name?: string
+  port?: number
+  env?: string           // Env scope name (production / staging / dev).
+  env_vars?: Record<string, string>
+  resource_id?: string
+  /** Track B: gate the deploy by an IP allow-list. Requires Pro+. */
+  private?: boolean
+  /** Track B: IPv4 addresses or CIDR blocks (max 32) permitted when
+   *  `private` is true. Backend returns 400 on empty list when private=true
+   *  or on invalid IP/CIDR strings. */
+  allowed_ips?: string[]
+}
+
+export async function createDeploy(
+  input: CreateDeployInput,
+): Promise<{ ok: true; deployment: DashboardDeployment }> {
+  // Wire shape matches the Track A `POST /deploy/new` contract: env_vars
+  // is sent as `env` (legacy alias) for symmetry with the list-response
+  // adapter above. The dedicated `environment` field carries the env
+  // scope. `private` + `allowed_ips` ride alongside as top-level fields.
+  const body: Record<string, unknown> = {}
+  if (input.name) body.name = input.name
+  if (input.port !== undefined) body.port = input.port
+  if (input.env) body.environment = input.env
+  if (input.env_vars) body.env = input.env_vars
+  if (input.resource_id) body.resource_id = input.resource_id
+  if (input.private !== undefined) body.private = input.private
+  if (input.allowed_ips !== undefined) body.allowed_ips = input.allowed_ips
+  const r = await call<DeploymentGetResp>('/deploy/new', {
+    method: 'POST',
+    body: JSON.stringify(body),
+  })
+  if (!r.item) {
+    throw new APIError(500, 'invalid_response', 'POST /deploy/new returned no item')
+  }
+  return { ok: true, deployment: adaptDeployment(r.item) }
+}
+
+// ─── updateDeploymentAccess — PATCH /api/v1/deployments/:id (Track A) ────
+//
+// Pro+ feature: toggle a deployment's privacy state and edit its
+// allowed_ips after creation. The PATCH endpoint is Track A's
+// responsibility — until it ships, this helper still issues the request
+// and surfaces a 404 to the caller so the DeployDetailPage can render a
+// read-only "edits pending backend" hint instead of pretending the change
+// landed.
+//
+// Errors:
+//   - 402 with agent_action — tier gate (hobby / free / anonymous)
+//   - 400 with validation_error — empty allowed_ips when private=true,
+//     invalid IPs/CIDRs, > 32 entries
+//   - 404 — endpoint not yet shipped (Track A pending)
+//   - 5xx — server error; bubble up so the page shows a real banner
+export async function updateDeploymentAccess(
+  id: string,
+  privateFlag: boolean,
+  allowedIps: string[],
+): Promise<{ ok: true; deployment: DashboardDeployment }> {
+  const r = await call<DeploymentGetResp>(
+    `/api/v1/deployments/${encodeURIComponent(id)}`,
+    {
+      method: 'PATCH',
+      body: JSON.stringify({ private: privateFlag, allowed_ips: allowedIps }),
+    },
+  )
+  if (!r.item) {
+    throw new APIError(500, 'invalid_response', 'PATCH /deployments/:id returned no item')
+  }
+  return { ok: true, deployment: adaptDeployment(r.item) }
+}
+
 // ─── Stack family — env-sibling grid ─────────────────────────────────────
 // GET /api/v1/stacks/:slug/family returns root + every direct child as a
 // flat list (root first) so the dashboard can render "production · staging

src/api/types.ts

@@ -103,6 +103,14 @@ export interface DashboardDeployment {
   build_duration_s?: number
   /** Optional resource binding (UUID of the primary resource). */
   resource_id?: string
+  /** When true the deploy is gated by an IP allow-list; agents/browsers
+   *  outside `allowed_ips` get a 403 from the edge. Defaults to false on
+   *  older API builds (public deploy). Pro+ feature — anonymous / free
+   *  / hobby get 402 from POST /deploy/new when this is set. */
+  private?: boolean
+  /** IPv4 addresses or CIDR blocks (max 32) permitted to reach the
+   *  deployment when `private=true`. Empty / undefined when public. */
+  allowed_ips?: string[]
 }
 
 export interface DashboardTeam {