Move the Edit/Delete item actions into a shared ActionMenu in the page header
and render the comment history with the shared Timeline. Document UX-12.3 as
data-gated/deferred: descriptions and comments are plain text with no backend
HTML sanitization, so RichTextEditor is intentionally not adopted yet.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Replace the bespoke roadmap board/list toggle buttons (hardcoded blue-600) with
the shared SegmentedControl, and wrap truncated board-card titles in Tooltip.
Update the e2e toggle selector from button to radio for SegmentedControl.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- add @bytelyst/auth-ui workspace dep (minimal link: lockfile entry) (11.1)
- replace the password form with LoginForm and the OTP step with MfaChallenge,
wiring onSubmit to the existing auth-context login + /api/auth/mfa/verify;
social login gated to Google via NEXT_PUBLIC_GOOGLE_CLIENT_ID (11.2)
- add aria-labels to the placeholder-only auth-ui inputs so the a11y gate and
label-based selectors stay green
- add an auth-ui import smoke test; full render assertion stays in the e2e
"shows login form with correct branding" test (11.3)
The /api/auth/* proxy routes and auth-context are unchanged.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Map the full @bytelyst/* --bl-* token surface (surfaces, text, danger, success/
warning/info, focus ring, radii, spacing, typography, overlay) onto tracker OKLCH
vars so auth-ui/notifications-ui/ui components inherit the theme in light and
dark. Adds semantic --success/--warning/--info token defs; all bridge values
reference tracker vars or color-mix of them (no standalone color literals).
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- error.tsx now renders ErrorPage (keeps trackEvent + reset wiring) (10.1)
- add PageHeader (title + breadcrumbs) to /dashboard, /dashboard/items,
/dashboard/board and the item detail page for a consistent header band (10.2)
- replace ad-hoc loading text with LoadingSpinner on overview, items, detail (10.3)
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Forbid direct @bytelyst/ui imports outside the Primitives adapter via
no-restricted-imports, with the adapter file exempted. No pre-existing
violations; a probe confirms the rule fires.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Extend src/components/ui/Primitives.tsx to re-export the shared @bytelyst/ui
controls later waves need (Select, Textarea, Checkbox, Switch, RadioGroup,
Tooltip, Tabs, SegmentedControl, DropdownMenu, Drawer, ActionMenu, IconButton,
AlertBanner, Card, Panel, Separator, DataList, Timeline), and add a pure
export-presence test that lifts the adapter off 0% coverage without a DOM dep.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Re-audited tracker-web against the full showcase catalog (~60 entries) and added
delegate-ready waves beyond the core UX-1..8:
- UX-9 complete the Primitives adapter + export-presence test (closes the
Primitives.tsx 0%-coverage gap without a jsdom dep)
- UX-10 page chrome via @bytelyst/dashboard-components (ErrorPage, PageHeader)
- UX-11 @bytelyst/auth-ui on the login + MFA surface (presentation only)
- UX-12 detail/board richness (Tabs/Tooltip/Drawer/Timeline; rich-text stretch)
- UX-13 @bytelyst/notifications-ui (stretch, data-gated)
- CC.6 UI-drift ESLint ratchet, CC.7 bundle budget, CC.8 coverage ratchet
Also refreshed the entry point (UX-1 done -> start at UX-2) and the gap matrix.
Add unit tests for the previously-untested proxy handlers (auth/mfa/verify,
auth/oauth/[provider], telemetry/ingest) covering success, error-status
forwarding, default error messages, validation, and the 502 unreachable path.
Add tracker-client tests asserting every endpoint path/method/body contract
and x-product-id header injection, plus product-config request resolution.
Overall coverage rises from ~90% to 94% stmts / 87% branch / 94% funcs. Also
fix the vitest coverage thresholds: the legacy global nesting was silently
ignored by the v8 provider, so the 80% gate was never enforced.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Rewrite the Playwright suite to mock the platform-service at the Next.js proxy
boundary (/api/tracker, /api/auth) so no live backend is required, and provide
the env vars /api/health needs via webServer.env. Adds a login->dashboard happy
path, board/list toggle and vote-prompt coverage, axe-core accessibility
assertions (resolved from the workspace, no new dependency), and a
no-unexpected-console-errors check.
The axe gate surfaced a real bug: the roadmap type-filter and submit-modal
<select> elements had no accessible name. Fixed by adding aria-labels.
Also ignore coverage/test-results/playwright-report in eslint.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Run Prettier over README and roadmap docs to satisfy format:check, and add
.prettierignore plus .gitignore entries for playwright-report/test-results so
generated e2e artifacts no longer break the format gate.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Update UX_INTEGRATION_BYTELYST.md to mark all UX-1 tasks as completed
with commit SHA reference and update progress section.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Add @bytelyst/ui and @bytelyst/design-tokens as workspace dependencies,
create token bridge layer mapping --bl-* to existing tracker vars, and
implement Primitives.tsx adapter for shared UI components. Includes smoke
test verifying component exports. All verification checks pass.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Replace bare text loading state with skeleton cards matching board/list layout
- Use Tailwind animate-pulse for smooth loading animation
- Skeleton dimensions approximate real cards to avoid layout shift
- Fixes B-015: loading state is a bare text flash
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Add type="button", aria-pressed, and aria-label to vote buttons in both components
- Add missing title attribute to ItemRow button to match ItemCard
- Add unit test to verify A11y attribute logic
- Fixes A11y issue: vote buttons not announced to assistive tech
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Call fetchData() after successful submit in handleSubmit to update stats bar and columns
- Add unit tests to verify fetchData is called on success and not on failure
- Fixes B-016: public roadmap stats don't refresh after submit
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Replaces the bespoke <table> in /dashboard/items with <DataTable> (TanStack-
powered sorting + client pagination), keeping the existing badge cells, title
link, labels and delete action via ColumnDef cell renderers. Server-side
type/status/priority/search filters retained (enableFilter=false on the table).
Verified: tsc --noEmit clean; vitest 31/31; next build --webpack succeeds
(/dashboard/items compiles).
1) Dual-numbering reconciliation
- ROADMAP groups Phase 1 by topic (1.1-1.8); PRH groups by execution
day (1.A-1.F). Added bidirectional mapping table to both docs so
agents can cross-reference any phase reference unambiguously.
2) Fresh-agent quick pointer at top of ROADMAP
- New section tells a new agent exactly which 4 docs to read, in
what order, and which task to pick up first (1.A from the tracker).
3) Broken sub-roadmap links neutralised
- 03_RICH_ITEMS_ROADMAP.md, 04_AGENT_API_ROADMAP.md,
05_INTAKE_ROADMAP.md were linked but did not exist. Replaced with
plain text + 'create when Phase N begins' note so the link doesn't
404. Matches the pattern already used in IMPLEMENTATION_TRACKER.
4) Runbook stubs created (Phase 1.F.11/1.F.12 placeholders)
- docs/runbooks/MEK_ROTATION.md — adapted from NoteLett bcad7d3
- docs/runbooks/SECRET_MANAGEMENT.md — secret inventory + resolution
path + compromise procedure + PII scrubbing rule
Each is a stub now; full content lands when Phase 1.F executes.
5) Stale 'today' wording removed from PRH baseline table
- Replaced 'after fix today' with 'as of 2026-05-25' so the doc
ages cleanly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous fix (commit a4ee36b6) added '.pnpmfile.cjs' to the
globalIgnores() call at the END of the admin-web eslint config,
but flat-config v9 only applies ignores from the FIRST config
object that contains an 'ignores' key — every subsequent config
item is matched against the file before the late ignore is read.
That's why CI run 66 still failed with the same require() error
even after the dashboard-level ignore was in place.
Fix: declare an explicit '{ ignores: [...] }' at array index 0,
which is the documented eslint v9 pattern for skipping files
before any rule config attaches:
defineConfig([
{ ignores: ['**/.pnpmfile.cjs', '**/*.cjs'] }, // <-- now first
...nextVitals,
...nextTs,
{ rules: { ... } },
globalIgnores([ ... ]),
])
Verified locally:
cd dashboards/admin-web && npx eslint . -> 0 errors, 0 warnings
The previous root-level eslint.config.js .cjs ignore (commit
1be38bef) had no effect on CI because 'pnpm -r exec eslint .' walks
into each workspace and invokes the LOCAL eslint config. admin-web
has its own dashboards/admin-web/eslint.config.mjs (extending
eslint-config-next), which did NOT ignore .cjs files. So the same
.pnpmfile.cjs require() errors kept failing run 64 and run 65 with
identical output.
Fix at the consumer (dashboard) level so 'pnpm -r exec eslint' sees
the ignore regardless of which workspace it runs from:
globalIgnores([
...
'.pnpmfile.cjs',
'**/*.cjs',
])
Verified locally:
cd dashboards/admin-web && pnpm lint -> 0 errors
tracker-web has no .pnpmfile.cjs and no other .cjs configs, so its
eslint config does not need the same change yet — adding it would
be defensive but not required.
The devops page was importing useAuth from '@bytelyst/react-auth'
and destructuring a non-existent 'getAccessToken' method:
src/app/devops/page.tsx
Type error: Module '@bytelyst/react-auth' has no exported member
'useAuth'.
Property 'getAccessToken' does not exist on type
'AuthContextValue<AdminUser>'.
This had been silently masked because admin-web wasn't being built
in the consumer-repo CI workflows that just used `pnpm build`
filtered to /packages/*. Once those CI workflows switched to a
broader `pnpm build` (in the fastgap and local_llms workflow
rewrites), this dashboard build failure surfaced and blocked
EVERY consumer-repo CI run that pulls common-plat at the start
(fastgap, local_llms, jarvis_jr, etc.).
Two fixes applied to the same file:
1. Import path — useAuth lives in '@/lib/auth-context' (admin-web's
own provider exposed via createAuthProvider), not in
'@bytelyst/react-auth'. That package only exports the factory,
types, and LoginResult.
2. Token access — getAccessToken is NOT on AuthContextValue. The
canonical pattern used throughout admin-web
(settings/security, settings/devices, debug-sessions, …) is to
read the token directly from localStorage under the
'admin_access_token' key. Switched to that pattern with a small
typed helper at the top of the file.
Both changes documented in-source with a comment block so the
next agent doesn't try to re-introduce a useAuth.getAccessToken
import.
- Add @bytelyst/devops backend endpoints to platform-service
- Add /api/devops/version (public) and /api/devops/info (admin) endpoints
- Add /devops page to admin-web using @bytelyst/devops/ui DevopsPanel
- Add devops link to admin web sidebar navigation
- Add build metadata and runtime information display
- Follow trading web devops pattern
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
- Updated Badge component to use design token CSS variables (bl-*)
- Updated Button component to use design token CSS variables (bl-*)
- Improved focus states with proper design token colors
- Added aria-label to logout button in sidebar for better accessibility
- Maintains backward compatibility while improving consistency
This moves admin web toward design system compliance while ensuring
no breaking changes to existing functionality.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Phase 1 of UX compliance implementation:
- Add .pnpmfile.cjs for local package resolution from common platform
- Install @bytelyst/ui for shared UI components
- Create Primitives.tsx product adapter for type-safe component extensions
- Integrate @bytelyst/design-tokens CSS variables
- Enable design token usage via CSS custom properties
This establishes the foundation for component normalization and
consistent styling across ByteLyst products, following the UX
implementation guide patterns.
Generated with [Devin](https://cli.devin.ai/docs)
Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Baseline origin/main pnpm -r lint failed with 90+ errors across
platform-service, extraction-service, and tracker-web. These block the
shared W1 quality gates (prompts/README.md §4) which require all of
typecheck + lint + build + test to be green before committing W1 infra
work. Fixes are strictly scoped to unblock gates:
- eslint.config.js: extend @typescript-eslint/no-unused-vars with
varsIgnorePattern / caughtErrorsIgnorePattern / destructuredArrayIgnorePattern
all honouring the existing `^_` convention already used for args.
- platform-service: add file-level eslint-disable for
@typescript-eslint/no-unused-vars, no-redeclare, no-useless-escape on
the 33 legacy files failing lint (ab-testing, ai-diagnostics,
diagnostics, predictive-analytics, broadcasts/types, surveys/types,
lib/push-notifications).
- extraction-service tests: drop unused vitest imports (beforeEach,
afterEach, HealthCheck).
- tracker-web tracker-proxy.test.ts: prefix unused url with _.
- Applied eslint --fix on platform-service which normalised a handful
of `let` → `const` and removed one redundant disable comment.
Scope creep vs W1 "Files You Own" is acknowledged — user explicitly
approved this path when baseline rot was surfaced.
Verified: pnpm -r typecheck, lint, build, test all green.
- Import trackEvent from @/lib/telemetry in both error.tsx files
- Report unhandled errors with error name, message, and digest
- Resolves P0 TODO items #1 and #2 from WORKSPACE_TODO_AUDIT.md
Backend (delivery retry):
- Use NotFoundError (404) instead of BadRequestError (400) for missing log doc
- Add telegram + slack retry support (was email-only, threw error for others)
Frontend (delivery page):
- Add pk field to DeliveryEntry interface
- Pass pk query param in retry call so backend can look up the doc
- Fix handleRetry to accept full entry object instead of just id
Frontend (webhooks page):
- Parallelize delivery fetches with Promise.allSettled (was sequential for loop)
- Significant page load improvement for subscriptions with many deliveries
- B18: POST /agent-evals/suites/:id/run → /suites/:id/runs (plural)
- B19: DELETE /agent-evals/suites/:id has no backend endpoint — disabled with TODO Q3
Pages fixed:
- waitlist: GET /waitlist/list → GET /waitlist (root)
- delivery: GET /delivery/log → GET /delivery/logs; disable retry button (no backend endpoint)
- reviews: GET /reviews/list → GET /reviews; approve/reject → POST /:id/decision with body; disable flag (no endpoint)
- jobs: GET /jobs/list → GET /jobs; GET /runs/list → GET /runs; trigger → POST /jobs/trigger with {jobId}
- gdpr-export: GET /exports/list → GET /exports; POST /exports/create → POST /exports
TODO Q1: delivery retry endpoint not implemented in backend
TODO Q2: reviews flag endpoint not implemented in backend
- Create /api/exports/[...path] proxy route for platform-service exports module
- Fix gdpr-export page: /api/maintenance/gdpr-exports → /api/exports/list|create
- Old path routed to settings/maintenance which has no export endpoints
Phase 0 from DASHBOARD_UI_COVERAGE_ROADMAP:
- Register ai-diagnostics routes in server.ts (671-line module was never mounted)
- Add 6 hidden pages to admin sidebar-nav.tsx:
Debug Sessions, Health Dashboard, Extraction, Experiments,
Predictive, AI Diagnostics
- /users was already in sidebar (no change needed)
- Kill switch verified: already per-product via productId query param
- Admin sidebar now has 33 items (was 27)
- New /actiontrail page with 4 tabs: Timeline, Agents, Alerts, Approvals
- Summary cards: total actions, critical/high count, pending approvals, active alerts
- Risk-level filtering on timeline, color-coded risk badges
- Server-side API proxy route (/api/actiontrail) to ActionTrail backend (port 4018)
- actiontrail-client.ts: typed API client using @bytelyst/api-client
- Sidebar nav item with Crosshair icon
- ACTIONTRAIL_SERVICE_URL added to .env.example
- Graceful fallback when ActionTrail service is unavailable
Removed unused local copies that were superseded by shared package imports:
- EmptyState.tsx (dead — no imports found)
- LoadingSpinner.tsx (dead — no imports found)
- PageHeader.tsx (dead — no imports found)
Dashboard already consumes NotFoundPage from @bytelyst/dashboard-components.
Node 25 removed corepack as a built-in. Replace all 'corepack pnpm'
invocations with direct 'pnpm' calls since pnpm is installed globally.
Affected: platform-service, tracker-web, blob, testing, LLM dashboard
