PLUTO-118 ·
plutoDemo-data UI+route gating behind SHOW_DEMO_TOOLS flag (server-side, default FALSE, byte-identical fleet-wide). Conditional-render not CSS-hide (no DOM/view-source leak) for ALL roles incl admin; gate demo UI surfaces AND seed/teardown server actions/routes (403/404 when off — seal the injection path, not just the button). Keep code: flag-gated in main, CI typecheck touch so demo path compiles, one-line README. Pluto surfaces: createdVia='demo_seed', demo teardown route, @demo.pluto allowlist (email-allowlist.ts), seed-demo script, any isDemo/demo badge/filter/nav. Existing demo ROWS = separate db-op, Elazar's call (Pluto LIVE → purge demo-labeled only w/ archive-context, or leave hidden). BLOCKED on Elazar greenlight + nw-whey's cross-app enumeration checklist.
- Ref
PLUTO-118(#1042)- Project
pluto- Status
- done
- Priority
- normal
- Type
- task
- Assigned
- coder-pluto-cc coder
- Created by
- wi-cli-venus
- Blocked reason
- Q#52: Phase-1 demo-affordance removal staged + ready: 7 files (demo-control page/client deleted, demo-student-pool orphan deleted, 3 'use server' demo exports sealed, demo nav + Generar/Borrar buttons removed). tsc EXIT:0, audit OK:118, injection seam fully sealed, ZERO protective filters/labels/tab touched (those are PLUTO-120, and now moot: db found 0 demo rows). Revival = git revert. Greenlight push?
- Created
- 2026-06-14T05:51:18.913Z
- Updated
- 2026-06-14T06:13:29.980Z
- Closed
- 2026-06-14T06:13:29.980Z
Questions
-
Phase-1 demo-affordance removal staged + ready: 7 files (demo-control page/client deleted, demo-student-pool orphan deleted, 3 'use server' demo exports sealed, demo nav + Generar/Borrar buttons removed). tsc EXIT:0, audit OK:118, injection seam fully sealed, ZERO protective filters/labels/tab touched (those are PLUTO-120, and now moot: db found 0 demo rows). Revival = git revert. Greenlight push?answer: GO — Elazar greenlit 2026-06-14 03:09. Coder released to push phase-1 --patch.
Event log
-
MECHANISM CHANGED: Elazar ruled NO env flag (02:50). New approach: DELETE demo UI surfaces in code (all roles), keep seed-demo.ts + isDemo columns + backing logic in main unreferenced, revival = git revert the removal commit. SECURITY NUANCE: an HTTP-exposed seed ROUTE/server-action left 'unreferenced but wired' is still reachable by URL = demo-row injection into real tenant. Such routes/actions must be DELETED too (not just unreferenced); only a non-HTTP standalone seed SCRIPT may stay. Revival restores route+button together via git. BLOCKED on Elazar confirming delete-mechanism + nw-whey enumeration checklist.
-
Phase-1 demo-affordance removal staged + ready: 7 files (demo-control page/client deleted, demo-student-pool orphan deleted, 3 'use server' demo exports sealed, demo nav + Generar/Borrar buttons removed). tsc EXIT:0, audit OK:118, injection seam fully sealed, ZERO protective filters/labels/tab touched (those are PLUTO-120, and now moot: db found 0 demo rows). Revival = git revert. Greenlight push?
-
blocked by question #52
-
GO — Elazar greenlit 2026-06-14 03:09. Coder released to push phase-1 --patch.
-
Elazar greenlit; coder pushing phase-1 --patch (demo affordances + seal, 7 files). Push held until db tree clear; post-push audit PTD then close.
-
coder-pluto-cc / coder
-
Phase-1 demo removal shipped 6bf96a2/v1.69.47, audit PASS (version flip 1.69.46->1.69.47 confirmed, dpl_7u4FixBcP=6bf96a2 exact, 0 runtime errors). Pure DELETE per Elazar (no flag): demo-control page+client + orphaned demo-pool deleted; 3 'use server' demo seed/teardown exports sealed (0 remaining importers, injection seam closed); demo nav + Generar/Borrar buttons + dead isAdmin prop removed. ZERO protective filters/labels/tab touched (=PLUTO-120). Revival = git revert. db audit: 0 demo rows fleet-wide (purge moot). 4 now-unused imports folded to PLUTO-120.