feat: Add Fireproof Dashboard POC with tenant/ledger management

[jchris]

Summary

Initial proof-of-concept for Fireproof Dashboard integration at /fireproof route. This PR prepares the vibes.diy codebase to consume the Fireproof dashboard API (currently in unmerged PR in fireproof repo).

What's Implemented

• ✅ Installed and configured @tanstack/react-query for data fetching
• ✅ Added QueryClientProvider to root layout (inside ClerkProvider, wrapping entire app)
• ✅ Created /fireproof route with dashboard component
• ✅ Implemented API client setup using Clerk authentication with "with-email" template
• ✅ Added queries for listing user tenants and ledgers
• ✅ Built UI to display tenant and ledger information with proper loading/error states
• ✅ Used existing VITE_CONNECT_API_URL environment variable for API endpoint

Current Blocker

Build Error: DashboardApi is not exported from @fireproof/core-protocols-dashboard@0.23.15

error TS2305: Module '"@fireproof/core-protocols-dashboard"' has no exported member 'DashboardApi'.

The dashboard API client and types exist in the Fireproof codebase but are not yet published in the npm package. Once the Fireproof dashboard PR is merged and published, this will work.

Architecture Decisions

1. Simple POC approach: Dashboard logic lives directly in the route component (not a reusable context) for faster iteration
2. React Query: Chose React Query for API state management - aligns well with async data fetching patterns
3. Clerk "with-email" token template: Required by Fireproof dashboard API for user identification
4. Result monad handling: Followed Fireproof's pattern of throwing errors directly from .Err() without wrapping

Files Changed

• vibes.diy/pkg/app/root.tsx - Added QueryClientProvider setup
• vibes.diy/pkg/app/routes.ts - Added /fireproof route configuration
• vibes.diy/pkg/app/routes/fireproof.tsx - New dashboard route component
• vibes.diy/pkg/package.json - Added dependencies

Next Steps

1. Wait for Fireproof dashboard API to be published to npm
2. Test with real API endpoint once available
3. Add create/update/delete functionality (currently read-only)
4. Consider extracting to reusable context if needed beyond POC

Test Plan

• Code compiles (blocked by missing export)
• Route accessible at /fireproof
• Auth check works (logged out users see prompt)
• API calls succeed with Clerk token
• Tenants display correctly
• Ledgers display correctly with tenant associations

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for fireproof-ai-builder ready!

Name	Link
🔨 Latest commit	ebd9e03
🔍 Latest deploy log	https://app.netlify.com/projects/fireproof-ai-builder/deploys/692eeaabdb9af400083b1aa8
😎 Deploy Preview	https://deploy-preview-659--fireproof-ai-builder.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 45 (🟢 up 1 from production) Accessibility: 97 (no change from production) Best Practices: 92 (no change from production) SEO: 92 (no change from production) PWA: 60 (no change from production) View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid leaking cached tenant/ledger data across users

React Query caches both tenant and ledger fetches under fixed keys (["listTenantsByUser"] and ["listLedgersByUser"], lines 56‑66) while the global QueryClient in root.tsx marks query data fresh for five minutes (lines 25‑30). If user A signs out and user B signs into the same browser within that window, React Query treats the cached data as fresh and will render A’s tenants/ledgers for B without refetching, leaking account data across sessions. The cache needs to be invalidated on auth changes or the keys scoped by user identity.

Useful? React with 👍 / 👎.

[charliecreates]

The main functional concern is that DashboardApi is imported from @fireproof/core-protocols-dashboard even though it is not yet exported by the published package, which will cause build failures and tightly couples this POC to an unpublished upstream change. There is also a compatibility risk from unguarded window.fetch usage in the route component, which will break SSR or non-DOM environments. UX-wise, the dashboard does not clearly handle the !isLoaded Clerk state, and uses array indices as React keys for ledger users, which could lead to subtle rendering issues once mutations are added. Overall structure and React Query integration look reasonable, but these issues should be addressed before merging into a mainline branch.

Additional notes (1)

• Maintainability | vibes.diy/pkg/app/routes/fireproof.tsx:114-271
  The tenant and ledger sections both implement nearly identical patterns for loading, error, empty, and list states, with only labels and field mappings differing. While acceptable for a POC, this duplication will be hard to keep in sync as you evolve the dashboard (e.g. shared styling, skeletons, or error behaviors).

Extracting a small reusable Section/List component that accepts title, query, and a render function for items would simplify future feature additions and reduce the chance of diverging UX between related lists.

Summary of changes

Summary of Changes

• Added @fireproof/core-protocols-dashboard and @tanstack/react-query as app dependencies and wired them into the pnpm-lock.yaml.
• Introduced a global QueryClient instance and wrapped the app tree with QueryClientProvider inside ClerkProvider in root.tsx.
• Registered a new /fireproof route in routes.ts.
• Implemented a new FireproofDashboard route component that:
  • Uses Clerk auth (useAuth) and a DashboardApi client (from @fireproof/core-protocols-dashboard).
  • Uses React Query to fetch and display tenants and ledgers for the signed-in user.
  • Provides loading, error, and empty states, plus an unauthenticated view.
• Added basic meta tags for the Fireproof dashboard route.

[charliecreates]

Instantiating DashboardApi with window.fetch.bind(window) will throw at render time in any non-DOM environment (SSR, tests, or future worker contexts) because window is undefined there. Since this route component is imported from the routes table, any server-side evaluation or pre-rendering will crash before auth or query logic runs.

For route components in frameworks that may execute code on the server, you should avoid unconditional window access in the render path. A safer approach is to:

• Use the global fetch (which is available in more environments) if the API client supports it, or
• Lazily create the client only when typeof window !== 'undefined', and show a loading or unsupported message otherwise.

As-is, this POC could break SSR or automated tests that render the route.

Suggestion

Switch to the global fetch if DashboardApi does not require a bound window instance, e.g. fetch: fetch, or guard the creation with a runtime check such as if (typeof window === 'undefined') return null; (with a corresponding UI fallback) before you call new DashboardApi(...). I can suggest a concrete guard pattern and minimal UI fallback for non-browser environments if you’d like — reply with "@CharlieHelps yes please" and I’ll add it.

[jchris]

just simplify dont test window

[charliecreates]

The FireproofDashboard component renders tenant and ledger sections even when isLoaded is false, which means you can hit a state where Clerk has not finished loading but the React Query hooks are disabled (enabled: false). In that case, the UI shows neither loading nor auth status explicitly, which can be confusing — the page appears mostly empty instead of showing a loading indicator while auth initializes.

A small explicit !isLoaded loading state before the signed-in/unsigned branches would improve perceived correctness and make the auth lifecycle clearer.

Suggestion

Add an early if (!isLoaded) branch that returns a simple loading view (e.g., a spinner or "Loading account..." message) before checking isSignedIn. This keeps the UX consistent while Clerk initializes. If you’d like a concrete snippet added to the component, reply with "@CharlieHelps yes please" and I’ll propose one.

[charliecreates]

The users.map in the ledger section uses the array index (idx) as the React key. This can cause subtle UI bugs if the users array changes over time (e.g., order or membership), because React will reuse DOM nodes incorrectly. Since each user appears to have a stable identifier (user.userId), that would be a more appropriate key.

In a dashboard that will eventually support mutations (add/remove users), using a stable key now will avoid headaches later.

Suggestion

Prefer a stable identifier over the array index for the React key, e.g. key={user.userId} (or a composite of ledger.ledgerId and user.userId if needed). I can draft the exact change in this map call if you reply with "@CharlieHelps yes please".

[charliecreates]

wrapResultToPromise is a nice adapter, but it currently throws res.Err() directly, which for non-Error values will produce opaque error output in React Query (e.g. "Error: [object Object]") and can break places that do instanceof Error checks. In this file you are already checking tenantsQuery.error instanceof Error, so non-Error values will silently fall back to the generic "Unknown error" message even if the underlying error contained useful details.

Given you mentioned following the pattern of throwing errors directly from .Err(), it's worth normalizing here at the boundary with React Query to guarantee consumers always see an Error with a meaningful message while still preserving the original error for logging or debugging.

Suggestion

You can wrap non-Error results into an Error instance while preserving details for inspection, so React Query and your UI logic behave consistently:

function wrapResultToPromise<T>(pro: () => Promise<Result<T>>) {
  return async (): Promise<T> => {
    const res = await pro();
    if (res.isOk()) {
      return res.Ok();
    }

    const err = res.Err();
    if (err instanceof Error) {
      throw err;
    }

    // Preserve original error object for debugging
    // while ensuring React Query always gets an Error
    const wrapped = new Error(
      typeof err === "string" ? err : "Request failed",
    );
    (wrapped as any).cause = err;
    throw wrapped;
  };
}

This keeps the Result-monad semantics but makes error handling in the UI predictable. Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.

[charliecreates]

Both tenants and ledgers queries use static keys without incorporating the current user or auth state. If a user signs out and another user signs in within the same browser session, React Query will happily serve the cached data for the previous user under the same keys ("listTenantsByUser", "listLedgersByUser"), leading to potential cross-user data leakage within the client session.

Using Clerk, you likely have access to a stable user identifier (e.g. user ID or email from the token/template). Incorporating this identifier into the query keys and/or clearing the query cache on auth changes avoids accidental reuse of previous users' cached dashboard data.

Suggestion

Include a user-specific element in the query keys so cache entries are properly segmented per user, or explicitly clear these queries on sign-out:

const { isSignedIn, isLoaded, getToken, userId } = useAuth();

const tenantsQuery = useQuery<ResListTenantsByUser>({
  queryKey: ["listTenantsByUser", userId],
  queryFn: wrapResultToPromise(() => api.listTenantsByUser({})),
  enabled: isLoaded && isSignedIn && !!userId,
});

const ledgersQuery = useQuery<ResListLedgersByUser>({
  queryKey: ["listLedgersByUser", userId],
  queryFn: wrapResultToPromise(() => api.listLedgersByUser({})),
  enabled: isLoaded && isSignedIn && !!userId,
});

Alternatively, you can subscribe to Clerk auth events and call queryClient.removeQueries({ queryKey: ["listTenantsByUser"] }) / removeQueries({ queryKey: ["listLedgersByUser"] }) on sign-out. Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.

[charliecreates]

The global QueryClient instance is created at module scope with default options, which is good, but there is no strategy for cache invalidation on auth changes. Because the QueryClientProvider wraps the entire app, when a user signs out and another user signs in, any user-scoped queries (like your dashboard data) will remain in the cache unless keys or session boundaries are managed explicitly.

Especially when combined with static query keys, this can create subtle cross-user data exposure within the same browser session. Even if you fix the keys, it's generally a good idea to reset or partially clear the query cache on auth state transitions for user-scoped data.

Suggestion

Consider either scoping the QueryClient to the current auth session or listening to Clerk auth events to clear user-specific queries on sign-out:

// example: create a hook or effect near your auth boundary
useEffect(() => {
  if (!isSignedIn && isLoaded) {
    queryClient.clear();
  }
}, [isSignedIn, isLoaded]);

Alternatively, if you segment query keys by userId, target only those keys with removeQueries. This keeps the global cache while preventing leakage of user-specific data across sessions. Reply with "@CharlieHelps yes please" if you'd like me to add a commit wiring this up with Clerk auth events.

[github-actions]

🎉 Hosting Preview Deployment

Preview URL: https://pr-659-vibes-hosting-v2.jchris.workers.dev
Worker: pr-659-vibes-hosting-v2
Commit: 2bae9a0

Test the preview:

1. Visit the preview URL above
2. Test hosting functionality (KV assets, queue operations)
3. Verify API integrations work correctly
4. Check domain routing is disabled (workers.dev only)

---

_{This preview will be automatically updated on each push to this PR}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reset fp-cloud token on sign-out

The effect that fetches fp-cloud-jwt short-circuits whenever fpCloudToken is truthy, but the token state is never cleared when a user signs out. If user A opens /fireproof, gets a token, signs out, and user B signs in, fpCloudToken still holds A’s token so the effect never requests a new session token and all subsequent API calls use the stale UCAN. That results in B seeing A’s data or hitting auth errors until the page is refreshed.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Scope query cache to current user

Both tenant and ledger queries use static keys (e.g. queryKey: ["listTenantsByUser"]) while the new QueryClient is configured with a 5‑minute stale window (root.tsx lines 26‑30). If user A loads the dashboard and signs out, then user B signs in within that window, React Query will treat the cached response as fresh and serve A’s tenants/ledgers to B without refetching. The query keys should include the signed-in user (or the cache should be invalidated on auth changes) to avoid cross-user data leakage.

Useful? React with 👍 / 👎.

[charliecreates]

• The DashboardApi import from @fireproof/core-protocols-dashboard will continue to break builds until the upstream package exports it, tightly coupling this PR to an unpublished change.
• The FireproofDashboard route directly uses window.fetch, which will throw in non-DOM environments and should be guarded or replaced with global fetch.
• React Query usage currently lacks user-scoped keys and cache/session management, risking cross-user data leakage within a single browser session.
• Error normalization and minor UI/logging details (e.g. wrapResultToPromise, missing !isLoaded state, array index keys) can be improved for robustness and maintainability.

Summary of changes

Summary of Changes

• Added @tanstack/react-query and @fireproof/core-protocols-dashboard as dependencies and wired them into pnpm-lock.yaml and package.json.
• Wrapped the app in a global QueryClientProvider (inside ClerkProvider) in root.tsx, configuring default query options.
• Registered a new /fireproof route in routes.ts.
• Implemented a new FireproofDashboard route that:
  • Uses Clerk auth and a DashboardApi client to obtain a fp-cloud-jwt via getCloudSessionToken and then fetch tenants and ledgers with React Query.
  • Adds extensive logging, JWT decoding, and special handling for JWKS verification failures.
  • Renders tenants and ledgers sections with loading, error, and empty states.
• Added token-auth-and-exchange.md documenting the current auth/token exchange debugging findings and hypotheses.

[charliecreates]

The memoized DashboardApi client is configured to use an fp-cloud-jwt when fpCloudToken is present, otherwise it falls back to a Clerk token. Once fpCloudToken is set, you never attempt to refresh it or check its expiry, and getToken will continue to return it indefinitely.

Given that you already decode the Clerk token and log expiry information, not doing any TTL/expiry management on the exchanged token risks 401s/failures later in the session due to an expired fp-cloud-jwt being reused. At minimum, this should be called out as a known limitation, but ideally there should be a basic expiry check and refresh mechanism.

Suggestion

Augment the fpCloudToken state to also track its expiry (if available from the getCloudSessionToken response) or last-issued timestamp, and teach getToken to fall back to a fresh Clerk-based exchange when the cached fp-cloud-jwt is stale. This can be as simple as storing { token, exp } and checking exp against Date.now()/1000 before deciding whether to reuse or refresh. If you’d like, I can propose a specific shape for this state and the corresponding refresh logic—reply with "@CharlieHelps yes please" and I’ll include a concrete code change.

[charliecreates]

fetchFpCloudToken is called from a useEffect that depends on api, and api is recreated whenever fpCloudToken changes. After setFpCloudToken, the component re-renders, api is recreated with a new closure over the updated fpCloudToken, and the effect runs again. The guard if (!isLoaded || !isSignedIn || fpCloudToken) return; currently prevents an infinite loop, but the dependency on api is unnecessary and makes the effect’s behaviour harder to reason about.

Since the effect only needs a stable client reference plus auth flags and fpCloudToken, tying it directly to api is over-coupling and can surprise future maintainers if api’s dependencies change.

Suggestion

Consider decoupling the effect from the full api object by either (1) extracting just the getCloudSessionToken function into a stable callback or (2) suppressing api in the dependency list with a clear comment and relying on the existing fpCloudToken/auth guards to avoid stale reads. Option (1) is cleaner long term; I can sketch the minimal refactor that memoizes getCloudSessionToken separately and uses that in the effect—reply with "@CharlieHelps yes please" and I’ll provide a patch.

[charliecreates]

The tenants and ledgers UI sections are nearly identical in structure: both have loading/error/empty/list states, similar card styling, and similar list rendering. This duplication increases the chance of subtle drift (e.g. one gets improved skeletons or error handling and the other doesn’t) and makes future enhancements harder.

Given this dashboard is expected to evolve, centralizing the shared list behavior would make the codebase easier to maintain and reason about.

Suggestion

Extract a small reusable list/section component that encapsulates the common pattern—accepting props like title, query, and an renderItem callback—so you only define the loading/error/empty scaffolding once. I can propose a concrete DashboardSection abstraction using your existing Tailwind classes and React Query shape if you’d like—reply with "@CharlieHelps yes please" and I’ll add a refactor patch.

[mabels]

@jchris pls use the sts service from fireproof instead of doing evering again .

[mabels]

exception2Result from fireproof does that

[mabels]

you should be able to not to pass the fetch ---

[mabels]

thats is nonsensen

[mabels]

use sts service from fireproof

[mabels]

never use constants in prod code

[mabels]

this logic is temp i will give you something better in the near future

[mabels]

should we make a dashboard-react packages so that this things are only once exist