// Modal infrastructure + 3 specific modals: Service detail, Contract proposal, Add rule. const { Icons, DATA } = window; const { Pill, OwnerChip, Tabs, currency } = window; const { useState: useStateM, useEffect: useEffectM } = React; // ---------- Generic modal shell ---------- function Modal({ open, onClose, children, width = 880, title, eyebrow, headerRight }) { useEffectM(() => { if (!open) return; const onKey = (e) => { if (e.key === "Escape") onClose(); }; window.addEventListener("keydown", onKey); document.body.style.overflow = "hidden"; return () => { window.removeEventListener("keydown", onKey); document.body.style.overflow = ""; }; }, [open]); if (!open) return null; return (
e.stopPropagation()}>
{eyebrow &&
{eyebrow}
}

{title}

{headerRight}
{children}
); } // ---------- 1) Service detail modal, keys + apps ---------- function ServiceDetailModal({ service, onClose, onOpenApp, policy, onSetPolicy, posture }) { if (!service) return null; // Build the per-app key inventory from service shape. const keys = serviceKeys(service); const totalCost = service.cost; const isLLM = service.kind === "LLM"; const eyebrow = `External service · ${service.kind} · ${service.apps.length} apps`; return ( }> {/* top facts strip */}
Spend / mo
{currency(totalCost)}
Behavior
{service.det ? "deterministic" : "non-det"}
Apps
{service.apps.length}
Keys on file
{keys.length}
{/* Outbound policy editor */} {policy && onSetPolicy && (

Outbound policy

How Stoda treats outbound calls to {service.name} across the fleet.
)} {/* Shared-key warning */} {service.sharedKey && (
Shared key across {service.apps.length} apps. {currency(totalCost)} this month is unattributed, costs roll up to one team, blast radius covers every app using {service.sharedKey}. Per-app keys restore team-level P&L and isolate failures.
)} {!service.sharedKey && service.apps.length > 1 && (
Per-app keys. Each app holds its own secret, costs attributed by key, blast radius scoped to one app.
)} {/* Keys table */}

API keys ({keys.length})

Last-4 of secret · scope · who can use it · last rotation
{keys.map((k, i) => ( ))}
KeyScopeAppsCreatedLast rotatedStatus
{k.id}···{k.last4}
{k.envName}
 {k.scope === "shared" ? shared · {k.apps.length} apps : per-app}
{k.apps.slice(0, 3).map((a, j) => ( ))} {k.apps.length > 3 && +{k.apps.length - 3}}
{k.created} {k.rotated} {k.status === "ok" && active} {k.status === "stale" && {k.staleReason || "stale"}} {k.status === "issue" && issue}
{/* Recent calls / spend split */}

Spend split, last 30 days

Per-app attribution from request tags + key mapping.
{/* Notes if non-det */} ); } // Build deterministic key inventory from a service record. function serviceKeys(s) { const out = []; // Shared key, if present (always the problem state, unattributed, broad blast radius) if (s.sharedKey) { out.push({ id: s.sharedKey.toLowerCase().replace(/_/g, "-"), last4: hashLast4(s.sharedKey + ":shared"), envName: s.sharedKey, scope: "shared", apps: s.apps, created: "Aug 14, 2025", rotated: "Nov 02, 2025", status: "stale", staleReason: "shared · unattributed", }); } // Per-app keys (when not shared, or for some apps even if shared) const perAppApps = s.sharedKey ? [] : s.apps; perAppApps.forEach((appName, i) => { out.push({ id: keyId(s.name, appName), last4: hashLast4(s.name + ":" + appName), envName: keyEnv(s, appName), scope: "per-app", apps: [appName], created: ["Sep 22, 2025", "Oct 04, 2025", "Jan 18, 2026", "Feb 02, 2026"][i % 4], rotated: ["Mar 18, 2026", "Apr 02, 2026", "Mar 28, 2026", "Apr 11, 2026"][i % 4], status: i === 1 ? "stale" : "ok", staleReason: i === 1 ? "180d+ since rotation" : null, }); }); return out; } function hashLast4(seed) { let h = 0; for (let i = 0; i < seed.length; i++) h = (h * 31 + seed.charCodeAt(i)) | 0; const v = Math.abs(h) % 10000; return v.toString(16).toUpperCase().padStart(4, "0"); } function keyId(svc, app) { const a = app.toLowerCase().split(/\s+/).map(w => w[0]).join("").slice(0, 3); const s = svc.toLowerCase().replace(/[^a-z]/g, "").slice(0, 6); return `${s}-${a}`; } function keyEnv(s, app) { const base = s.kind === "LLM" ? "API_KEY" : "TOKEN"; const tag = app.toUpperCase().replace(/\s+/g, "_").replace(/[^A-Z_]/g, "").slice(0, 14); const svc = s.name.toUpperCase().replace(/[^A-Z]/g, "").slice(0, 8); return `${svc}_${tag}_${base}`; } function SpendSplit({ service }) { // Synthesize a stable split by app, summing to service.cost. const total = service.cost || 1; const apps = service.apps; // Weights: derived from app name hash, normalized. const weights = apps.map(a => { let h = 0; for (let i = 0; i < a.length; i++) h = (h * 17 + a.charCodeAt(i)) | 0; return (Math.abs(h) % 7) + 1; }); const wSum = weights.reduce((s, w) => s + w, 0); const split = apps.map((a, i) => ({ app: a, cost: Math.round(total * weights[i] / wSum), pct: weights[i] / wSum, })); return (
{split.map((p, i) => ( ))}
{split.map((p, i) => (
{p.app} {currency(p.cost)} {Math.round(p.pct * 100)}%
))}
); } // PolicyOpt — option button used by ServiceDetailModal's policy editor. function PolicyOpt({ val, cur, set, label, sub }) { const on = cur === val; return ( ); } // ---------- 2) Contract proposal modal ---------- function ContractProposalModal({ open, onClose }) { const [tab, setTab] = useStateM("schema"); // The proposed contract for deals.postgres, used by Quote Copilot, Onboarding Wizard, Churn Early Warning. const fields = [ { name: "id", type: "uuid", read: ["QC", "OW", "CEW"], write: ["QC", "OW"], conflict: false, note: "Primary key. Stable across all 3 apps." }, { name: "account_id", type: "uuid", read: ["QC", "OW", "CEW"], write: ["QC", "OW"], conflict: false, note: "FK to accounts.postgres." }, { name: "stage", type: "enum<8>", read: ["QC", "OW", "CEW"], write: ["QC", "OW"], conflict: true, note: "QC writes free-string stage names; OW writes the canonical enum. Contract aligns to enum." }, { name: "amount_cents", type: "int64", read: ["QC", "OW", "CEW"], write: ["QC", "OW"], conflict: false, note: "Always cents. QC v122 had a $-floats branch, already migrated." }, { name: "currency", type: "iso4217", read: ["QC", "CEW"], write: ["QC"], conflict: false, note: "Defaults to USD if absent." }, { name: "owner_email", type: "email", read: ["QC", "OW", "CEW"], write: ["QC", "OW"], conflict: false, note: "Stoda PII tag, sent only to det endpoints." }, { name: "closed_at", type: "timestamp?", read: ["CEW"], write: ["QC"], conflict: true, note: "QC sets, OW touches via trigger, CEW reads. Contract makes the trigger explicit." }, { name: "legacy_stage", type: "string?", read: ["CEW"], write: [], conflict: true, note: "DEPRECATED. CEW still reads; migration plan removes it Apr 30." }, ]; const apps = [ { code: "QC", name: "Quote Copilot", owner: "ml", read: 7, write: 4, status: "ready", note: "Already typed against draft schema. 0 changes needed." }, { code: "OW", name: "Onboarding Wizard", owner: "ml", read: 6, write: 3, status: "patch", note: "Stoda will rewrite 3 call sites, `stage` string → enum mapping." }, { code: "CEW", name: "Churn Early Warning", owner: "ml", read: 5, write: 0, status: "patch", note: "Drops `legacy_stage` read after Apr 30 migration. Staging test added." }, ]; const tests = [ { id: "T1", name: "Roundtrip insert/select preserves all 22 fields", kind: "deterministic", runs: "every PR", status: "passing" }, { id: "T2", name: "Stage enum rejects free-string writes", kind: "deterministic", runs: "every PR", status: "passing" }, { id: "T3", name: "PII fields never exit to non-det endpoints", kind: "deterministic", runs: "every PR", status: "passing" }, { id: "T4", name: "Closed-at trigger fires within 50ms of stage=closed", kind: "deterministic", runs: "every PR", status: "passing" }, { id: "T5", name: "Legacy_stage migration: CEW reads degrade gracefully", kind: "deterministic", runs: "pre-migration", status: "pending" }, { id: "T6", name: "Contract version bump → all 3 apps regenerate clean", kind: "synthesis", runs: "on any change", status: "passing" }, ]; return ( }>
Why now. Three apps query deals.postgres directly with no typed contract. Last week's `legacy_stage` rename almost broke Churn Early Warning silently, Stoda caught it on staging. Codifying the contract turns this into a single reviewable diff every time the schema moves.
{tab === "schema" && (
{fields.map((f, i) => ( ))}
FieldTypeReadsWritesNotes
{f.name} {f.conflict && conflict} {f.name === "owner_email" && PII} {f.name === "legacy_stage" && deprecated}
{f.type}
{f.read.map((c, j) => {c})}
{f.write.length ? f.write.map((c, j) => {c}) : -}
{f.note}
)} {tab === "consumers" && (
{apps.map((a, i) => (
{a.name}
{a.read} reads · {a.write} writes
{a.status === "ready" && no changes} {a.status === "patch" && auto-patch}

{a.note}

))}
)} {tab === "migration" && (

Auto-generated migration plan

Two reversible steps. Stoda runs each on staging first, replays operator-authored tests, then promotes.

Rollback plan

Each step ships behind a flag. If any operator-authored test fails on staging, the step is auto-reverted and the gate holds, no human action required.

)} {tab === "tests" && (
{tests.map((t, i) => ( ))}
TestKindRunsStatus
{t.id} {t.name}
{t.kind} {t.runs} {t.status === "passing" && passing} {t.status === "pending" && pending}
)} ); } function ProposalStat({ label, value, foot }) { return (
{label}
{value}
{foot}
); } function MigStep({ n, title, detail, status }) { return (
{n}
{title} {status === "ready" && ready} {status === "scheduled" && scheduled}
{detail}
); } // ---------- 3) Add rule modal, Library + Custom tabs ---------- function AddRuleModal({ open, onClose, presetRuleId }) { const [mode, setMode] = useStateM("library"); // "library" | "custom" return ( {mode === "library" && } {mode === "custom" && } ); } function RuleLibrary({ onClose, presetRuleId }) { // Build library of rules NOT yet active in the org. Pull a few real ones, mark as off, and add ~6 fresh ones. const orgRules = DATA.RULES; const offRules = orgRules.filter(r => r.status === "off" || r.status === "partial"); const fresh = [ { id: "lib-1", category: "security", name: "Block API responses containing SSN-shaped strings", summary: "Pattern-matches 9-digit SSN-like strings in any outbound response body. Built-in: 12 tests across 6 vendor schemas.", builtInTests: 12, fleetEligible: 14 }, { id: "lib-2", category: "quality", name: "LLM responses must validate against pinned JSON schema", summary: "Wraps every non-det endpoint call. Drift in the response shape blocks the deploy and opens an alert.", builtInTests: 18, fleetEligible: 6 }, { id: "lib-3", category: "cost", name: "Per-app daily LLM budget with automatic cool-down", summary: "Soft cap (warn) and hard cap (cool-down). Both are operator-tunable per app and team.", builtInTests: 9, fleetEligible: 11 }, { id: "lib-4", category: "data", name: "Multi-app schemas must declare a backup window", summary: "Catches the 'no recent backup' failure mode before it ships. Verified against the BYOC backup ledger.", builtInTests: 7, fleetEligible: 4 }, { id: "lib-5", category: "pipeline", name: "Block deploys on Friday after 14:00 local", summary: "Soft block, operator can still deploy with VP approval. Optional per team.", builtInTests: 4, fleetEligible: 24 }, { id: "lib-6", category: "network", name: "All outbound calls must include an `X-App-Id` header", summary: "Restores per-app attribution for shared egress proxies. Stoda auto-injects on app startup if missing.", builtInTests: 6, fleetEligible: 22 }, { id: "lib-7", category: "security", name: "Mandate per-app API keys, no shared credentials", summary: "Detects when a single API key (OpenAI, Stripe, etc.) is referenced by 2+ apps. Per-app keys restore cost attribution and reduce blast radius. Stoda generates new keys, opens PRs to swap them, and validates with the provider before merging.", builtInTests: 8, fleetEligible: 4, defaultGrace: "14d" }, ]; const library = [ ...offRules.map(r => ({ id: r.id, category: r.category, name: r.name, summary: r.summary, builtInTests: r.builtInTests, fleetEligible: 24, current: true, })), ...fresh, ]; const cats = DATA.RULE_CATEGORIES; const [cat, setCat] = useStateM("all"); const [pick, setPick] = useStateM(presetRuleId || library[0]?.id || null); const [scope, setScope] = useStateM("all"); const [severity, setSeverity] = useStateM("hard"); const [grace, setGrace] = useStateM(presetRuleId === "lib-7" ? "7d" : "0"); const [confirming, setConfirming] = useStateM(false); const [q, setQ] = useStateM(""); const filtered = library.filter(r => { if (cat !== "all" && r.category !== cat) return false; if (q && !(r.name + " " + r.summary).toLowerCase().includes(q.toLowerCase())) return false; return true; }); const selected = library.find(r => r.id === pick); return (
{/* sidebar, categories */}
Categories
{cats.map(c => { const Ic = Icons[c.icon] || Icons.Shield; const n = library.filter(r => r.category === c.id).length; if (n === 0) return null; return ( ); })}
{/* middle, list */}
setQ(e.target.value)}/>
{filtered.map(r => ( ))} {filtered.length === 0 &&
No rules match.
}
{/* right, detail + scope */}
{selected ? ( <>
{(cats.find(c => c.id === selected.category) || {}).name}

{selected.name}

{selected.summary}

{selected.builtInTests} built-in tests ship with this rule. Maintained by Stoda, applied on every deploy across the apps you scope here.
{/* Fleet preview */}
Fleet preview
{selected.fleetEligible} apps eligible · 3 would violate at first run
Stoda will dry-run on staging before turning the gate hard.
{/* Scope */}
Scope
{/* Severity */}
Enforcement
{/* Grace period */}
Grace period for existing operators
{[["0","None"],["3d","3 days"],["7d","7 days"],["14d","14 days"],["30d","30 days"]].map(([v,l]) => ( ))}
Operators with existing violations get this long to migrate before the gate goes hard. New deploys are gated immediately.
) : (
Pick a rule to configure.
)}
{selected ? <>Adding {selected.name} · {scope === "all" ? "all 24 apps" : scope === "team" ? "selected teams" : "selected apps"} · {severity === "hard" ? "hard gate" : "warn only"}{grace !== "0" && <> · {grace} grace} : "Pick a rule to continue."}
{confirming && selected && (
setConfirming(false)}>
e.stopPropagation()}>
Confirm rollout

Turning on {selected.name}

{selected.fleetEligible} operators currently in violation will have {grace === "0" ? "no grace period" : grace.replace("d", " days")} to migrate before the {severity === "hard" ? "hard gate" : "warning"} takes effect.
They'll be notified by email and Slack immediately, with a follow-up 24h before the gate hardens.
New deploys are gated starting now. Existing apps keep running through the grace period.
)}
); } function ScopeOpt({ val, cur, set, label, sub }) { const on = cur === val; return ( ); } function SevOpt({ val, cur, set, label, sub }) { const on = cur === val; return ( ); } function RuleAuthor({ onClose }) { const [name, setName] = useStateM("Block deploys touching pricing.* without finance approval"); const [desc, setDesc] = useStateM( "When a deploy diff includes any change under apps/*/pricing/** or schemas/pricing.*, the pull request must carry an approval from a member of the Finance team. Auto-approve if the diff only touches comments or whitespace." ); const [generated, setGenerated] = useStateM(true); // default: show as already generated const tests = [ { name: "PR with pricing.ts change + finance approval → pass", status: "passing" }, { name: "PR with pricing.ts change + no finance approval → blocked", status: "passing" }, { name: "PR with pricing/comment-only diff → auto-approved", status: "passing" }, { name: "PR with non-pricing change → rule does not trigger", status: "passing" }, { name: "Approver outside finance team → blocked, with reason logged", status: "passing" }, ]; return (
{/* Left, describe */}
1. Describe in plain language
setName(e.target.value)} placeholder="Rule name"/>