PhantomLabsAI / PhantomPulse — Site & Dashboard Audit (2026-02-11)

Repo: /Users/eric/.openclaw/workspace/PhantomPulse

What I ran

• npm run check ✅ (TypeScript OK)
• npm run build ✅ (Vite + server bundle OK)
  • Noted warnings:
    • Browserslist/caniuse-lite outdated (non-blocking)
    • PostCSS from option warning (non-blocking; potential asset transform edge cases)
    • Bundle chunk > 500KB (performance; not launch-blocking)

Environment variables (local/dev/prod)

From README.md + server code:

• DATABASE_URL required (server fails fast in server/db.ts)
• SESSION_SECRET recommended but should be required in prod (see security note below)
• PORT optional (defaults 5000)
• AI integrations (used in server/replit_integrations/* and /api/ai/signals):
  • AI_INTEGRATIONS_OPENAI_API_KEY
  • AI_INTEGRATIONS_OPENAI_BASE_URL
• Tradovate (used in server/tradovate.ts):
  • TRADOVATE_USERNAME
  • TRADOVATE_PASSWORD

Suggested .env template:

DATABASE_URL=postgres://...
SESSION_SECRET=replace-with-long-random
PORT=5000
# optional
AI_INTEGRATIONS_OPENAI_API_KEY=...
AI_INTEGRATIONS_OPENAI_BASE_URL=https://api.openai.com/v1
TRADOVATE_USERNAME=...
TRADOVATE_PASSWORD=...

UX / IA quick read

What’s working well

• Clear split between marketing (/) and dashboard (/dashboard/*).
• Dashboard sidebar is consistent and has active-state logic.
• Accounts connect flow is fairly complete (validation, dialog, platform/broker selection).
• Many elements have data-testid which is great for future e2e.

Core UX problems

• Global navigation component is Home-section scroll based, but it is reused on other pages (auth/dashboard legacy page). When not on /, “How it works / Pricing / FAQ” buttons do nothing.
• “Apply Now” CTA routes to /client/auth but that page defaults to login, not register. This is a conversion-killer.

Findings & fixes (prioritized)

P0 — Launch blockers

1. Apply Now goes to Login (wrong default mode)

• Where: client/src/pages/ClientAuth.tsx, initialization:

  const [isLogin, setIsLogin] = useState<boolean>(modeParam === "login" || modeParam !== "register");
  

  This evaluates to true for modeParam=null, so /client/auth defaults to login.
• Impact: "Apply Now" from the homepage sends new users to the wrong form.
• Fix:
  • Decide desired default for /client/auth (recommend: register)
  • Make logic explicit:
    • mode=login → login
    • otherwise → register
  • Update homepage nav:
    • Login → /client/auth?mode=login
    • Apply Now → /client/auth?mode=register

2. Top nav section links break off-homepage

• Where: client/src/components/Navigation.tsx uses document.getElementById(id).
• Impact: On /client/auth, /products, etc. those sections don’t exist.
• Fix options:
  • Preferred: use real links to /#pricing etc. (or /?section=pricing) and on Home read hash to scroll.
  • At minimum: if window.location.pathname !== '/' then route to '/#pricing' etc. before scrolling.

3. Missing compliance pages linked from footer

• Missing (launch-critical for payments + trust):
  • Privacy Policy
  • Terms of Service
  • Risk Disclosure (trading/financial disclaimer)
• Fix:
  • Add /privacy, /terms, /risk routes + footer links.

4. Security footgun: JWT secret fallback

• Where: server/routes.ts:

  const JWT_SECRET = process.env.SESSION_SECRET || "fallback-secret-key";
  

• Impact: if SESSION_SECRET missing in production, JWTs become trivially forgeable.
• Fix:
  • Fail fast in prod if SESSION_SECRET missing (similar to DATABASE_URL).
  • Or require a dedicated JWT_SECRET.

P1 — Important (should ship soon after)

1. Inconsistent auth systems + naming

• Admin uses server session/passport (/auth, /admin/*).
• Client uses JWT stored client-side (/client/auth, /dashboard/*).
• This is OK, but you should:
  • visually distinguish "Admin" vs "Client" login
  • ensure logout clears correct storage (client does clearAuthToken in DashboardLayout, admin is separate)
  • document both flows in README.

2. Missing loading/error states in several dashboard pages

• Example: dashboard/Overview.tsx reads client and tradingAccounts without showing isLoading/error states.
• Fix: add skeleton + error card with retry (queryClient.invalidateQueries).

3. Placeholder metrics should be labeled “Coming soon”

• Current UI shows -- or $0.00 which can look broken.
• Fix: replace with “Coming soon” + tooltip, or hide blocks behind a feature flag.

4. Performance: large SPA bundle

• Build warns index-*.js > 500KB.
• Fix: route-level code splitting (lazy imports) for dashboard pages and heavy components (charts, signals).

P2 — Cleanup / maintainability

1. Unused legacy page

• client/src/pages/ClientDashboard.tsx is not routed in App.tsx.
• It also uses Navigation (problematic) and duplicates dashboard functionality.
• Fix: delete, or re-home as a prototype, or wire route if intended.

2. Console logs in server

• server/tradovate.ts and webhook handler log potentially sensitive operational events.
• Fix: replace with structured logger with redaction and log levels.

Launch-critical missing pages/states (summary)

• Compliance pages: Privacy / Terms / Risk
• Auth: Apply Now must land on registration; password rules visible
• Global nav: cross-page section links must work
• Dashboard: clear loading/error for first load

Proposed PR plan (do not push/merge)

Branch 1: fix/client-auth-default-register

Commits:

1. fix(auth): default /client/auth to register and respect mode param
   • Make mode handling explicit (login vs register).
2. fix(marketing): Apply Now routes to register mode; Login routes to login mode
   • Update Navigation.tsx links.

Branch 2: fix/navigation-cross-page-section-links

Commits:

1. fix(nav): make Home section buttons navigate via hash when off-homepage
2. feat(home): on mount, scroll to section from location.hash

Branch 3: feat/legal-pages

Commits:

1. feat(legal): add /privacy /terms /risk pages
2. chore(footer): link legal pages and add support contact

Branch 4: chore/security-require-session-secret

Commits:

1. chore(security): require SESSION_SECRET in production; remove JWT fallback
2. docs(env): document SESSION_SECRET requirement and rotation guidance

Branch 5: ux/dashboard-loading-error-states

Commits:

1. ux(dashboard): add loading + error states to Overview
2. ux(dashboard): standardize empty states across pages

Notes / questions to resolve

• What is the intended default for /client/auth (login vs register)? Current copy implies register for “Apply Now”.
• Are bots meant to be deployable immediately (subscription gating), or should they be “Coming soon / Beta”?
• Should “Admin” be accessible in production at all, or behind an allowlist?