fix(bugbash-p3): instanode-web P3 sweep — a11y, favicon, nav/pricing drift, SSE, 429 hint (#98)

Covers every remaining instanode-web P3 finding from BUGHUNT-REPORT-2026-05-18
not already handled by PR #96 (Wave D) or PR #97 (P2 wave):

- Global :focus-visible ring in tokens.css — keyboard/AT users had no
  consistent focus indicator anywhere (W3 T10, WCAG 2.4.7).
- favicon.ico + site.webmanifest — browsers' implicit /favicon.ico
  request 404'd; no web manifest existed (W5 T10).
- P3-08: MarketingPage Pro card "multi-env (dev/staging/prod + custom)"
  drifted from PricingPage's "dev/staging/prod" — aligned to the honest
  framing.
- P3-09: MarketingPage Team card rendered an empty <a href=""> dead CTA
  pill and the "talk to us" teaser had no contact link — Team CTA now a
  disabled "Coming soon" pill, teaser links mailto:hello@instanode.dev.
- P3-02: getResource() fired a /credentials fetch that 400'd for
  webhook/storage/queue resources — gated to db/redis/mongo via a named
  CREDENTIALED_RESOURCE_TYPES set.
- streamSSE only matched `data: ` (with space); the SSE spec makes the
  space optional — no-space `data:` lines were silently dropped.
- markdown renderer: content-repo cross-links written as `/use-cases/x.md`
  hit the SPA catch-all and dead-ended on the homepage — normalizeInternalHref
  strips a trailing `.md` from internal links.
- TeamPage unguarded Promise.all — no .catch(), no cancellation guard;
  a failed load left the page silently empty. Now mirrors the
  ResourcesPage/DeploymentsPage load pattern with an error banner.
- _headers: rewrote the comment to make unambiguous that the file is a
  non-operational migration artifact on GitHub Pages.
- 429/Retry-After user-facing hint (P2 deferred as P3): new retryHint.ts
  helper turns the retry-delay into a human "retry in Ns" string; wired
  into TeamPage's error banner. Reads the delay defensively so it works
  with or without PR #97's APIError.retryAfter field.

Tests: markdown .md-strip cases, retryHint unit tests added.
Gates: tsc --noEmit clean · vite build clean · vitest 645 passed, 3 skipped, 0 failed.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

index.html

@@ -23,9 +23,14 @@
     <meta name="twitter:description" content="Zero-setup infrastructure for AI agents. Provision real Postgres, Redis, MongoDB, queues, storage, and deployed apps with a single HTTP call." />
     <meta name="twitter:image" content="https://instanode.dev/apple-touch-icon.png" />
 
+    <!-- favicon.ico is listed first so the browser's implicit /favicon.ico
+         request (fired regardless of <link> tags) resolves to a real file
+         instead of 404ing — BugBash P3 (W5 T10). -->
+    <link rel="icon" href="/favicon.ico" sizes="any" />
     <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32.png" />
     <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16.png" />
     <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
+    <link rel="manifest" href="/site.webmanifest" />
     <link rel="preconnect" href="https://fonts.googleapis.com" />
     <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
     <link

public/_headers

@@ -1,7 +1,23 @@
-# GitHub Pages serves these files; this _headers is documentation only.
-# GitHub does not honor Netlify-style _headers files at runtime — kept here
-# so future readers (or a Netlify/Cloudflare Pages migration) have a record
-# of the intended Content-Type for plain-text assets the LLM crawlers fetch.
+# ─────────────────────────────────────────────────────────────────────
+# NON-OPERATIONAL FILE — this _headers does nothing on the live site.
+#
+# instanode.dev is hosted on GitHub Pages (see public/CNAME +
+# .github/workflows — actions/deploy-pages). GitHub Pages does NOT honor
+# Netlify/Cloudflare-style `_headers` files at runtime; it cannot be
+# configured to emit custom response headers at all.
+#
+# This is harmless in practice: GitHub Pages already serves `.txt`
+# assets with `Content-Type: text/plain; charset=utf-8` by default, so
+# the LLM crawlers that fetch /llms.txt and /llms-full.txt receive the
+# correct content type with or without this file.
+#
+# The file is kept ONLY as a migration artifact: if instanode.dev ever
+# moves to Netlify or Cloudflare Pages (both of which DO honor this
+# format), the intended header rules below are ready to take effect.
+# Until such a migration, treat this file as documentation, not config.
+# BugBash P3 (W5 T10): the previous comment under-stated this — a reader
+# could mistake the file for an active header config.
+# ─────────────────────────────────────────────────────────────────────
 /llms.txt
   Content-Type: text/plain; charset=utf-8
 /llms-full.txt

public/favicon.ico

@@ -0,0 +1,22 @@
+{
+  "name": "instanode",
+  "short_name": "instanode",
+  "description": "Zero-setup infrastructure for AI agents. Provision real Postgres, Redis, MongoDB, queues, storage, and deployed apps with a single HTTP call.",
+  "start_url": "/",
+  "scope": "/",
+  "display": "standalone",
+  "background_color": "#08080a",
+  "theme_color": "#08080a",
+  "icons": [
+    {
+      "src": "/favicon-32.png",
+      "sizes": "32x32",
+      "type": "image/png"
+    },
+    {
+      "src": "/apple-touch-icon.png",
+      "sizes": "180x180",
+      "type": "image/png"
+    }
+  ]
+}

public/site.webmanifest

@@ -8,7 +8,7 @@
 // real error banner instead of lying with mock data.
 
 import type {
-  Resource, DashboardStack, StackStatus,
+  Resource, ResourceType, DashboardStack, StackStatus,
   DashboardDeployment, DeploymentStatus, DeploymentFailure,
   DashboardTeam, BillingDetails, Invoice,
   TeamMember, TeamInvitation, AuthMeResponse, VaultEntry, ActivityItem,
@@ -505,6 +505,21 @@ export async function inviteMember(_body: { email: string; role: string }): Prom
 type ResourceListResp = { ok: boolean; items: any[]; total: number }
 type ResourceGetResp = { ok: boolean; item: any }
 
+// CREDENTIALED_RESOURCE_TYPES — the resource types whose
+// GET /api/v1/resources/:id/credentials endpoint returns a usable
+// `connection_url`. BugBash P3-02: getResource() fired the credentials
+// fetch unconditionally, so webhook / storage / queue resources (which
+// do not expose a connection_url on that endpoint) returned a 400 on
+// every detail-page open — spurious 400s in the API logs and NR
+// telemetry. Gating the fetch to these three types removes the noise
+// without changing behaviour for db/redis/mongo (the catch below still
+// guards genuine permission-hidden cases).
+const CREDENTIALED_RESOURCE_TYPES: ReadonlySet<ResourceType> = new Set<ResourceType>([
+  'postgres',
+  'redis',
+  'mongodb',
+])
+
 function adaptResource(r: any): Resource {
   return {
     id: r.id,
@@ -537,13 +552,18 @@ export async function listResources(env?: string): Promise<{ ok: true; items: Re
 
 export async function getResource(id: string): Promise<{ ok: true; resource: Resource }> {
   const r = await call<ResourceGetResp>(`/api/v1/resources/${id}`)
-  // The agent API splits credentials into a separate endpoint.
+  // The agent API splits credentials into a separate endpoint, but only
+  // db/redis/mongo expose a connection_url there — webhook/storage/queue
+  // 400 on it (BugBash P3-02). Gate the fetch on resource_type so we
+  // don't generate a spurious 400 on every detail-page open.
   let connection_url: string | undefined
-  try {
-    const c = await call<{ connection_url: string }>(`/api/v1/resources/${id}/credentials`)
-    connection_url = c.connection_url
-  } catch {
-    /* credentials may be hidden for some resource types */
+  if (CREDENTIALED_RESOURCE_TYPES.has(r.item?.resource_type)) {
+    try {
+      const c = await call<{ connection_url: string }>(`/api/v1/resources/${id}/credentials`)
+      connection_url = c.connection_url
+    } catch {
+      /* credentials may still be hidden (permissions, paused, etc.) */
+    }
   }
   return { ok: true, resource: adaptResource({ ...r.item, connection_url }) }
 }

src/api/index.ts

@@ -89,7 +89,27 @@ describe('inline — token rendering', () => {
   })
 
   it('renders [text](url) as <a>', () => {
-    expect(htmlInline('see [docs](/docs.md)')).toBe('see <a href="/docs.md">docs</a>')
+    expect(htmlInline('see [docs](/docs)')).toBe('see <a href="/docs">docs</a>')
+  })
+
+  // BugBash P3: content-repo cross-links are written two ways —
+  // `/use-cases/foo` and `/use-cases/foo.md`. The `.md` form would hit
+  // the SPA catch-all and dead-end on the homepage; normalizeInternalHref
+  // strips the trailing `.md` from internal links so both resolve.
+  it('strips a trailing .md from internal links', () => {
+    expect(htmlInline('see [docs](/docs.md)')).toBe('see <a href="/docs">docs</a>')
+    expect(htmlInline('[uc](/use-cases/foo-bar.md)'))
+      .toBe('<a href="/use-cases/foo-bar">uc</a>')
+  })
+
+  it('preserves a query/hash after a stripped .md suffix', () => {
+    expect(htmlInline('[x](/blog/post.md#section)'))
+      .toBe('<a href="/blog/post#section">x</a>')
+  })
+
+  it('does NOT strip .md from external links', () => {
+    expect(htmlInline('[raw](https://example.com/readme.md)'))
+      .toBe('<a href="https://example.com/readme.md">raw</a>')
   })
 
   it('renders [text](https://...) as external <a>', () => {

src/lib/markdown.test.tsx

@@ -149,7 +149,7 @@ export function inline(text: string, keyPrefix = 'i'): ReactNode {
     } else {
       const href = m[2]
       if (isSafeHref(href)) {
-        parts.push(<a key={k} href={href}>{m[1]}</a>)
+        parts.push(<a key={k} href={normalizeInternalHref(href)}>{m[1]}</a>)
       } else {
         // Unsafe href (e.g. javascript:) — render as plain text
         parts.push(matched)
@@ -177,3 +177,22 @@ function isSafeHref(href: string): boolean {
   if (/^https?:\/\//i.test(href)) return true
   return false
 }
+
+/* normalizeInternalHref — fixes the .md-suffix inconsistency in
+ * content-repo cross-links (BugBash P3).
+ *
+ * Blog posts and use-case pages in the content repo link to sibling
+ * pages two ways: some authors write `/use-cases/foo` (the real SPA
+ * route), others write `/use-cases/foo.md` (the source filename). The
+ * `.md` form hits the SPA catch-all and silently falls back to the
+ * homepage — a dead internal link.
+ *
+ * We strip a trailing `.md` from internal hrefs (those starting with
+ * `/`) so both authoring styles resolve to the same working route.
+ * External http(s) links and anchors are left untouched — a real `.md`
+ * file on an external host is a legitimate target. A query/hash after
+ * the `.md` is preserved (e.g. `/blog/x.md#section` → `/blog/x#section`). */
+function normalizeInternalHref(href: string): string {
+  if (!href.startsWith('/')) return href
+  return href.replace(/\.md(?=$|[?#])/, '')
+}

src/lib/markdown.tsx

@@ -0,0 +1,71 @@
+import { describe, it, expect } from 'vitest'
+import { retryAfterSeconds, isRateLimited, formatRetryHint } from './retryHint'
+
+describe('retryAfterSeconds', () => {
+  it('reads a numeric retryAfter field', () => {
+    expect(retryAfterSeconds({ retryAfter: 30 })).toBe(30)
+  })
+
+  it('ceils a fractional retryAfter to whole seconds', () => {
+    expect(retryAfterSeconds({ retryAfter: 12.4 })).toBe(13)
+  })
+
+  it('accepts retryAfter of 0', () => {
+    expect(retryAfterSeconds({ retryAfter: 0 })).toBe(0)
+  })
+
+  it('ignores a negative retryAfter field', () => {
+    expect(retryAfterSeconds({ retryAfter: -5 })).toBeNull()
+  })
+
+  it('falls back to a "retry after Ns" hint in the message', () => {
+    expect(retryAfterSeconds({ message: 'rate limited (retry after 45s)' })).toBe(45)
+  })
+
+  it('falls back to a "retry in Ns" hint in the message', () => {
+    expect(retryAfterSeconds({ message: 'too many requests, retry in 8 seconds' })).toBe(8)
+  })
+
+  it('returns null when no hint is present', () => {
+    expect(retryAfterSeconds({ message: 'something else broke' })).toBeNull()
+    expect(retryAfterSeconds(new Error('plain error'))).toBeNull()
+  })
+
+  it('never throws on non-object input', () => {
+    expect(retryAfterSeconds(null)).toBeNull()
+    expect(retryAfterSeconds(undefined)).toBeNull()
+    expect(retryAfterSeconds('a string')).toBeNull()
+  })
+})
+
+describe('isRateLimited', () => {
+  it('is true for an error with status 429', () => {
+    expect(isRateLimited({ status: 429 })).toBe(true)
+  })
+
+  it('is false for other statuses and non-objects', () => {
+    expect(isRateLimited({ status: 500 })).toBe(false)
+    expect(isRateLimited({ status: 402 })).toBe(false)
+    expect(isRateLimited(null)).toBe(false)
+    expect(isRateLimited('429')).toBe(false)
+  })
+})
+
+describe('formatRetryHint', () => {
+  it('renders sub-minute delays in seconds', () => {
+    expect(formatRetryHint(1)).toBe('Please retry in 1 second.')
+    expect(formatRetryHint(30)).toBe('Please retry in 30 seconds.')
+    expect(formatRetryHint(59)).toBe('Please retry in 59 seconds.')
+  })
+
+  it('rolls up minute-plus delays to minutes', () => {
+    expect(formatRetryHint(60)).toBe('Please retry in about 1 minute.')
+    expect(formatRetryHint(150)).toBe('Please retry in about 3 minutes.')
+  })
+
+  it('handles 0 and null', () => {
+    expect(formatRetryHint(0)).toBe('You can retry now.')
+    expect(formatRetryHint(null)).toBe('Please retry in a moment.')
+    expect(formatRetryHint(-1)).toBe('Please retry in a moment.')
+  })
+})

src/lib/retryHint.test.ts

@@ -0,0 +1,67 @@
+/* retryHint.ts — user-facing "retry in Ns" support for HTTP 429.
+ *
+ * BugBash: the data layer for 429 / Retry-After handling is wired in the
+ * APIError envelope (a `retryAfter` seconds field, parsed from the
+ * `Retry-After` response header). This module is the small, presentation-
+ * side counterpart — it turns that number into a human countdown string
+ * the dashboard can render next to a rate-limited error.
+ *
+ * It is deliberately defensive about where the number comes from:
+ *
+ *   1. `err.retryAfter` — the structured field on APIError (preferred).
+ *   2. a "(retry after Ns)" / "retry in Ns" fragment in `err.message` —
+ *      a fallback for errors that carry the hint only in their text.
+ *
+ * Reading the field through a loose `unknown` shape (rather than
+ * importing APIError) keeps this module decoupled: it works whether or
+ * not a given build's APIError exposes `retryAfter`, and never throws on
+ * a plain Error or a non-error value.
+ */
+
+// RETRY_HINT_RE — matches a retry-delay hint embedded in an error
+// message, e.g. "rate limited (retry after 30s)" or "retry in 12
+// seconds". Capture group 1 is the integer seconds.
+const RETRY_HINT_RE = /retry\s+(?:after|in)\s+(\d+)\s*s/i
+
+/** retryAfterSeconds — best-effort extraction of a non-negative retry
+ *  delay (in whole seconds) from a thrown value. Returns null when no
+ *  hint is present. */
+export function retryAfterSeconds(err: unknown): number | null {
+  if (!err || typeof err !== 'object') return null
+
+  const field = (err as { retryAfter?: unknown }).retryAfter
+  if (typeof field === 'number' && Number.isFinite(field) && field >= 0) {
+    return Math.ceil(field)
+  }
+
+  const message = (err as { message?: unknown }).message
+  if (typeof message === 'string') {
+    const m = message.match(RETRY_HINT_RE)
+    if (m) {
+      const secs = Number(m[1])
+      if (Number.isFinite(secs) && secs >= 0) return secs
+    }
+  }
+
+  return null
+}
+
+/** isRateLimited — true when the error is an HTTP 429. Reads `status`
+ *  defensively so it works on APIError without importing it. */
+export function isRateLimited(err: unknown): boolean {
+  return Boolean(err) && typeof err === 'object' &&
+    (err as { status?: unknown }).status === 429
+}
+
+/** formatRetryHint — turns a seconds count into a short human phrase.
+ *  `null`/negative input yields a generic fallback so callers can always
+ *  render a non-empty string for a 429. */
+export function formatRetryHint(seconds: number | null): string {
+  if (seconds == null || seconds < 0) return 'Please retry in a moment.'
+  if (seconds === 0) return 'You can retry now.'
+  if (seconds < 60) {
+    return `Please retry in ${seconds} second${seconds === 1 ? '' : 's'}.`
+  }
+  const mins = Math.ceil(seconds / 60)
+  return `Please retry in about ${mins} minute${mins === 1 ? '' : 's'}.`
+}

src/lib/retryHint.ts

@@ -63,9 +63,17 @@ export function streamSSE(path: string, handlers: SSEHandlers, signal?: AbortSig
         while ((nl = buffer.indexOf('\n')) >= 0) {
           const raw = buffer.slice(0, nl).trimEnd()
           buffer = buffer.slice(nl + 1)
-          // SSE lines look like: `data: <payload>` (or empty between events).
-          if (raw.startsWith('data: ')) {
-            handlers.onLine(raw.slice(6))
+          // SSE lines look like `data: <payload>` (or empty between
+          // events). BugBash P3: the spec (WHATWG, EventSource §9.2.6)
+          // makes the single space after the colon OPTIONAL — a server
+          // emitting `data:<payload>` (no space) is conformant. The old
+          // `startsWith('data: ')` check silently dropped every
+          // no-space line. Match the `data:` prefix and strip at most
+          // one leading space from the value, per the spec.
+          if (raw.startsWith('data:')) {
+            let value = raw.slice(5)
+            if (value.startsWith(' ')) value = value.slice(1)
+            handlers.onLine(value)
           }
         }
       }