fix(dashboard): make demo navigation public-safe

[izadoesdev]

Summary

• trim demo sidebar and command search to public-safe website surfaces only
• keep Goals and Funnels public in demo, but make them read-only there
• remove direct demo routes for flags, revenue, and users
• block public/demo RPC reads for feature flag and target group admin definitions

Validation

• bun test apps/dashboard/components/layout/navigation/nav-item-active.test.ts apps/dashboard/next-config.test.ts packages/ai/src/query/builders/public-access.test.ts
• bunx ultracite check
• bun run --cwd packages/rpc check-types
• bun run --cwd apps/dashboard check-types
• commit hook: dotenv -- turbo run check-types + enforce-format
• pre-push hook: dotenv -- turbo run test

Notes

• Goals and Funnels are intentionally still visible in the demo because they do not expose admin targeting/configuration data; creation/edit/delete controls are hidden on demo routes.

[unkey-deploy]

The latest updates on your projects. Learn more about Unkey Deploy

Name	Status	Preview	Inspect	Updated (UTC)
api (preview)	Ready	Visit Preview	Inspect	Jun 28, 2026 5:57pm

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dashboard	Ready	Preview, Comment	Jun 28, 2026 5:57pm
databuddy-status	Ready	Preview, Comment	Jun 28, 2026 5:57pm
documentation	Ready	Preview, Comment	Jun 28, 2026 5:57pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 41305313-31be-495d-82c8-653160f9cd13

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/public-safe-demo

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[cubic-dev-ai]

No issues found across 19 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

Architecture diagram

sequenceDiagram
    participant Client as Browser (Demo Site)
    participant Nav as Navigation Component
    participant Search as Command Search
    participant Funnels as Funnels Page
    participant Goals as Goals Page
    participant RPC as RPC Router
    participant DB as Database

    Note over Client,DB: Demo Site Navigation & Content Flow

    Client->>Nav: Load demo website sidebar
    Nav->>Nav: Filter items with hideFromDemo=true
    alt Demo path detected
        Nav->>Nav: Hide: Realtime, Anomalies, Users, Flags, Revenue, Agent, Settings
        Nav->>Nav: Show: Audience, Pulse, Funnels, Goals, Events
    end
    Nav-->>Client: Rendered sidebar

    Client->>Search: Open command palette on demo path
    Search->>Search: Execute groupsToSearchGroups with isDemoPath=true
    Search->>Search: Skip items with hideFromDemo=true
    Search->>Search: Skip "Actions" category for demo
    Search->>Search: Skip "Websites" switcher for demo
    Search->>Search: Skip "API Keys" section for demo
    Search-->>Client: Filtered search results

    Client->>Funnels: Navigate to /demo/[id]/funnels
    Funnels->>Funnels: Detect isDemoRoute = true via usePathname()
    alt isDemoRoute
        Funnels->>Funnels: Hide "Create Funnel" button
        Funnels->>Funnels: Hide empty state action
        Funnels->>Funnels: Hide action menu (Edit/Delete)
        Funnels->>Funnels: Hide EditFunnelDialog
        Funnels->>Funnels: Hide DeleteDialog
    end
    Funnels->>RPC: fetch("/funnels.list") with demo context
    RPC->>RPC: withPublicWorkspace check (read permission)
    RPC->>DB: SELECT funnel definitions
    DB-->>RPC: Funnel data
    RPC-->>Funnels: Funnel list (read-only)
    Funnels-->>Client: Display funnels with readOnly prop

    Client->>Goals: Navigate to /demo/[id]/goals
    Goals->>Goals: Detect isDemoRoute = true via usePathname()
    alt isDemoRoute
        Goals->>Goals: Hide "Create Goal" button
        Goals->>Goals: Hide empty state action
        Goals->>Goals: Hide action menu (Edit/Delete)
        Goals->>Goals: Hide EditGoalDialog
        Goals->>Goals: Hide DeleteDialog
    end
    Goals->>RPC: fetch("/goals.list") with demo context
    RPC-->>Goals: Goal list (read-only)
    Goals-->>Client: Display goals with readOnly prop

    Note over Client,RPC: Blocked Admin Surfaces

    Client->>RPC: fetch("/flags.list") with demo context
    RPC->>RPC: authorizeFlagRead → workspace.tier = "demo"
    RPC->>RPC: requireAuthedFlagRead → throw UNAUTHORIZED
    RPC-->>Client: 401 Unauthorized

    Client->>RPC: fetch("/targetGroups.list") with demo context
    RPC->>RPC: withPublicWorkspace check
    RPC->>RPC: requireAuthedTargetGroupRead → workspace.tier = "demo"
    RPC->>RPC: throw UNAUTHORIZED
    RPC-->>Client: 401 Unauthorized

    Note over Client,RPC: Removed demo routes (no page exists)

    Client->>Client: Navigate to /demo/[id]/flags → 404
    Client->>Client: Navigate to /demo/[id]/revenue → 404
    Client->>Client: Navigate to /demo/[id]/users → 404
    Client->>Client: Navigate to /demo/[id]/users/[userId] → 404

Loading

<sub>Shadow auto-approve: would auto-approve. Changes make demo navigation public-safe by hiding unsafe routes (flags, revenue, users), adding hideFromDemo flags, and blocking demo RPC reads for feature flags and target groups. Funnels and goals remain visible but read-only. Tests verify the changes.

Re-trigger cubic</sub>