Redacted walkthrough
Demo
No database access, no workspace APIs, and no simulated telemetry. Six redacted wireframe slots use filenames in public/showcase/ (see showcase-demo.ts). Missing files show a clearly labeled placeholder instead of invented product data.
Why XFlow exists
Operators need one place to see what is connected, broken, and actionable.
XFlow is for builders managing more than one app. It does not replace deep logs, observability suites, Stripe, or Verixet. It gives the operator a workspace-scoped view of app setup, health evidence, event ingest, incidents, governance state, and the next action that keeps the ecosystem running.
First-run onboarding path
A new user should be able to move through this path without learning internal architecture terms first.
Step 1
Create or select a workspace
A workspace is the tenant boundary for apps, members, roles, audit trails, and billing evidence.
Step 2
Add the first app
Register the app name and slug so XFlow has a stable place to attach connections, events, incidents, and health evidence.
Step 3
Connect Verixet
Use Verixet as the billing and governance authority. XFlow consumes entitlement truth instead of inventing paid access locally.
Step 4
Verify app health
Run verification so XFlow can prove the app endpoint, bearer token, namespaces, and event ingest contract are wired correctly.
Step 5
Open the dashboard
Use Overview and Apps to see what is connected, what is missing, what is broken, and what action should happen next.
Step 6
Fix one setup item
Resolve an unverified connection, missing Verixet binding, or absent event feed, then rerun verification to close the loop.
5-minute walkthrough
The problem
Small SaaS teams usually run several apps but diagnose incidents through scattered dashboards, logs, Stripe state, and memory.
The app ecosystem
XFlow gives each app a workspace-scoped record with connections, environments, health, incidents, jobs, deployments, and events.
What XFlow monitors
XFlow tracks verified control-plane connections, event ingest outcomes, readiness, operational activity, and setup gaps.
When something breaks
The dashboard should point to the affected app, the missing or failing signal, and the next operator action instead of showing fake green metrics.
Billing and entitlements
Verixet is the production billing and entitlement authority. XFlow fails closed when Verixet authority is unavailable.
Proof for reviewers
The repo includes type, lint, unit, integration, build, smoke, and Verixet proof commands so reviewers can verify behavior instead of trusting screenshots.
Gallery
Demo workspace overview
Sample data and wireframe structure only. No live apps are connected from this public page.
Sample data
Sample apps catalog
Example inventory state showing where app setup, connection posture, and next actions appear.
Sample data
Wireframe per-app events
Ingest timeline for one app—correlation fields and categories. Redact payloads and identifiers.
Sample data
Sample incidents
Decision-support structure only. Counts and issue titles are not production claims.
Sample data
Sample metrics
Wireframe metric cards that explain placement. Live telemetry requires connected apps and collectors.
Sample data
Sample activity
Audit-oriented layout preview. No customer, user, workspace, or IP-derived data is shown.
Sample data
Illustrative UI structure
Generic labels—decision support patterns only.
Sample incident summary
Demo workspace · not live production data
Sample health panel
Wireframe preview · no live apps connected
Liveness
OK
Readiness
OK
Labels are generic; real consoles bind to collector results and probe definitions.
Example normalized payload
Illustrative JSON matching the documented ingest shape—not a live or customer record.
{
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"dedupe_key": "example-app-prod-deploy-abc123",
"app_slug": "example-app",
"environment": "production",
"event_type": "deploy.completed",
"category": "deploy",
"severity": "info",
"title": "Deployment completed",
"description": "Version 1.2.3 deployed to production",
"source": "vercel",
"entity_type": "deployment",
"entity_id": "dpl_abc123",
"metadata": { "commit": "abc123", "branch": "main" },
"occurred_at": "2025-03-14T12:00:00Z",
"contract_version": "1.0"
}For technical reviewers
These are the engineering claims a reviewer should verify in the repo and with the proof scripts, not by trusting this public page.
Auth and RBAC
Dashboard APIs resolve the active workspace and enforce permissions before returning tenant-scoped data.
Workspace isolation
Workspace IDs are derived from authenticated context; client-provided workspace hints are not trusted for tenant boundaries.
Billing authority
Production billing authority must be explicit, and Verixet entitlement state gates paid feature access.
Event ingest
Control-plane events are bearer-authenticated, schema-validated, deduped, rate-limited, and recorded with request IDs.
Webhook idempotency
Stripe webhook events are ledgered by event ID so duplicates and stale subscription updates cannot silently overwrite newer state.
CSRF and CSP
Cookie-authenticated mutations use same-origin protections, and production CSP/security headers are covered by tests and smoke checks.
Production proof
`npm run smoke:production` and `npm run proof:verixet` provide operator-facing proof commands without printing secret values.